Stored cross-site scripting in A.K.I Software products - CVE-2023-39223

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: The following CGIs included with the vulnerable products are affected by the vulnerability.

• pmc.exe 2.5.1.720 and earlier
• pmam.exe 2.5.1.1411 and earlier
• pmmls.exe 2.5.1.561 and earlier
• pmum.exe (Standard edition) 2.5.1.25451 and earlier
• pmum.exe (Pro edition) 2.5.1.25452 and earlier
• pmum.exe (Standard + IMAP4 edition) 2.5.1.25453 and earlier
• pmum.exe (Pro + IMAP4 edition / Enterprise edition) 2.5.1.25454 and earlier
• pmman.exe (Standard edition) 2.5.1.12154 and earlier
• pmman.exe (Pro edition) 2.5.1.12155 and earlier
• pmman.exe (Standard + IMAP4 edition) 2.5.1.12156 and earlier
• pmman.exe (Pro + IMAP4 edition) 2.5.1.12157 and earlier
• pmman.exe (Enterprise edition) 2.5.1.12158 and earlier

Remediation

External links

• https://jvn.jp/en/jp/JVN92720882/index.html
• https://akisoftware.com/Vulnerability202301.html