CVE-2023-39223

A stored cross-site scripting (XSS) vulnerability exists in multiple CGI executables included with A.K.I Software's PMailServer and PMailServer2 products. The flaw occurs when user-supplied input is not properly sanitized before being output in HTML pages generated by affected CGIs (pmam.exe, pmum.exe, pmc.exe), allowing an attacker to inject persistent malicious scripts [1][2].

An attacker with authenticated access can store a crafted payload in fields processed by these CGIs. When the stored content is later viewed by any logged-in user—including administrators—the script executes in the context of the victim's browser session. No additional privileges beyond a valid user account are required, as the attack leverages the application's own data storage and rendering mechanisms [1][2].

Successful exploitation allows the attacker to perform actions on behalf of the victim, such as accessing sensitive data, modifying user settings, or performing administrative operations. The CVSS v3 base score for CVE-2023-39223 is 5.4 (Medium), with the vector indicating network access, low attack complexity, low privileges required, and user interaction needed for script execution [2].

The vendor has released updated versions to address the vulnerability. PMailServer users should upgrade to Version 1.92 or later; PMailServer2 users should upgrade to Version 2.51a or later. The affected CGIs include pmam.exe, pmum.exe, and pmc.exe; users are advised to verify file versions and apply the latest patches from A.K.I Software [1][2].