CVE-2024-11990
Description
A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 could allow an attacker to execute arbitrary JavaScript code via an elaborate payload injected into vulnerable parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 allows remote authenticated attackers to execute arbitrary JavaScript via crafted payloads.
Vulnerability
Overview
CVE-2024-11990 is a Cross-Site Scripting (XSS) vulnerability in NetWin SurgeMail version 78c2. The flaw allows an attacker to inject arbitrary JavaScript code through specially crafted payloads sent to vulnerable parameters. This issue is classified under CWE-79, indicating improper neutralization of input during web page generation.
Exploitation
Details
The vulnerability can be exploited by an authenticated user with low privileges, requiring user interaction. The attack vector is over the network, meaning the attacker can send malicious input remotely. The successful exploitation depends on the victim (e.g., an administrator) interacting with the crafted content, leading to script execution in the context of their session.
Impact
A successful attack can result in limited confidentiality and integrity impact, such as accessing or modifying sensitive data within the application. The CVSS v3.1 base score is 4.6 (Medium), with the vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.
Mitigation
NetWin has addressed this vulnerability in SurgeMail version 78e. Users are advised to upgrade to this patched version to mitigate the risk [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.