CVE-2023-28733

Published: Mar 30, 2023Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.

Affected (1)

Products: Acymailing: Acymailing

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Acymailing Acymailing	Before 8.3.0

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://www.acymailing.com/change-log/

Source: vulnerability@ncsc.ch

Release Notes

https://www.bugbounty.ch/advisories/CVE-2023-28733

Source: vulnerability@ncsc.ch

Third Party Advisory

https://www.acymailing.com/change-log/

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://www.bugbounty.ch/advisories/CVE-2023-28733

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.