Vendor CVEs
Smartertools
All CVEs
53 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-7807 | Hig | 0.53 | 8.1 | 0.00 | May 8, 2026 | SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak… | ||
| CVE-2026-26930 | Hig | 0.47 | 7.2 | 0.00 | Feb 16, 2026 | SmarterTools SmarterMail before 9526 allows XSS via MAPI requests. | ||
| CVE-2017-14620 | Med | 0.43 | 6.1 | 0.02 | Sep 30, 2017 | SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries resulting in Stored Cross Site Scripting. | ||
| CVE-2026-40514 | Med | 0.38 | 5.9 | 0.00 | Apr 27, 2026 | SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to… | ||
| CVE-2025-52691 | 0.28 | — | 0.85 | KEV | Dec 29, 2025 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | ||
| CVE-2026-24423 | 0.25 | — | 0.88 | KEV | Jan 23, 2026 | SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be… | ||
| CVE-2026-23760 | 0.25 | — | 0.96 | KEV | Jan 22, 2026 | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system… | ||
| CVE-2019-7214 | 0.10 | — | 0.83 | Apr 24, 2019 | SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch. | |||
| CVE-2022-24384 | 0.04 | — | 0.04 | Mar 14, 2022 | Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | |||
| CVE-2012-2578 | 0.03 | — | 0.02 | Sep 19, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a JavaScript alert function used in conjunction with the fromCharCode method, (2) a SCRIPT element, (3) a… | |||
| CVE-2010-3486 | 0.03 | — | 0.03 | Sep 22, 2010 | Directory traversal vulnerability in FileStorageUpload.ashx in SmarterMail 7.1.3876 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash), (2) %5C (encoded backslash), or (3) %255c (double-encoded backslash) in the name parameter. | |||
| CVE-2010-3425 | 0.03 | — | 0.01 | Sep 16, 2010 | Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHelp.aspx in SmarterStats 5.3, 5.3.3819, and possibly other 5.3 versions, allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||
| CVE-2008-1854 | 0.03 | — | 0.03 | Apr 16, 2008 | Unspecified vulnerability in SmarterMail Web Server (SMWebSvr.exe) in SmarterMail 5.0.2999 allows remote attackers to cause a denial of service (service termination) via a long HTTP (1) GET, (2) HEAD, (3) PUT, (4) POST, or (5) TRACE request. NOTE: the provenance of this… | |||
| CVE-2008-0872 | 0.03 | — | 0.02 | Feb 21, 2008 | Cross-site scripting (XSS) vulnerability in SmarterTools SmarterMail Enterprise 4.3 allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute of an element in the Subject field of an e-mail message. | |||
| CVE-2019-7213 | 0.01 | — | 0.42 | Apr 24, 2019 | SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by… | |||
| CVE-2026-25067 | 0.00 | — | 0.00 | Jan 29, 2026 | SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows… | |||
| CVE-2020-36926 | 0.00 | — | 0.00 | Jan 15, 2026 | SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with… | |||
| CVE-2023-48115 | 0.00 | — | 0.00 | Dec 21, 2023 | SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request. | |||
| CVE-2023-48114 | 0.00 | — | 0.00 | Dec 21, 2023 | SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an… | |||
| CVE-2023-48116 | 0.00 | — | 0.00 | Dec 21, 2023 | SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment. | |||
| CVE-2022-24387 | 0.00 | — | 0.01 | Mar 14, 2022 | With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010 | |||
| CVE-2022-24386 | 0.00 | — | 0.01 | Mar 14, 2022 | Stored XSS in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | |||
| CVE-2022-24385 | 0.00 | — | 0.01 | Mar 14, 2022 | A Direct Object Access vulnerability in SmarterTools SmarterTrack leads to information disclosure This issue affects: SmarterTools SmarterTrack 100.0.8019.14010. | |||
| CVE-2021-43977 | 0.00 | — | 0.01 | Nov 17, 2021 | SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS. | |||
| CVE-2021-32234 | 0.00 | — | 0.02 | Nov 17, 2021 | SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution. | |||
| CVE-2021-40377 | 0.00 | — | 0.00 | Sep 8, 2021 | SmarterTools SmarterMail 16.x before build 7866 has stored XSS. The application fails to sanitize email content, thus allowing one to inject HTML and/or JavaScript into a page that will then be processed and stored by the application. | |||
| CVE-2020-29548 | 0.00 | — | 0.01 | Aug 17, 2021 | An issue was discovered in SmarterTools SmarterMail through 100.0.7537. Meddler-in-the-middle attackers can pipeline commands after a POP3 STLS command, injecting plaintext commands into an encrypted user session. | |||
| CVE-2021-32233 | 0.00 | — | 0.01 | Jul 5, 2021 | SmarterTools SmarterMail before Build 7776 allows XSS. | |||
| CVE-2019-7212 | 0.00 | — | 0.01 | Apr 24, 2019 | SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users’ emails and file attachments. It was also possible to interact with mailing lists. | |||
| CVE-2019-7211 | 0.00 | — | 0.01 | Apr 24, 2019 | SmarterTools SmarterMail 16.x before build 6995 has stored XSS. JavaScript code could be executed on the application by opening a malicious email or when viewing a malicious file attachment. | |||
| CVE-2015-9276 | 0.00 | — | 0.01 | Jan 16, 2019 | SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could… | |||
| CVE-2011-4752 | 0.00 | — | 0.02 | Dec 16, 2011 | SmarterTools SmarterStats 6.2.4100 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving frmCustomReport.aspx and certain other files. NOTE: it is possible… | |||
| CVE-2011-4751 | 0.00 | — | 0.01 | Dec 16, 2011 | SmarterTools SmarterStats 6.2.4100 generates web pages containing external links in response to GET requests with query strings for frmGettingStarted.aspx, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2)… | |||
| CVE-2011-4750 | 0.00 | — | 0.01 | Dec 16, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in SmarterTools SmarterStats 6.2.4100 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by Default.aspx and certain other files. | |||
| CVE-2011-2159 | 0.00 | — | 0.04 | May 20, 2011 | The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/Defaults/frmDefaultSiteSettings.aspx, (2)… | |||
| CVE-2011-2158 | 0.00 | — | 0.04 | May 20, 2011 | The SmarterTools SmarterStats 6.0 web server sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/frmSite.aspx, (2) Admin/frmSites.aspx, (3)… | |||
| CVE-2011-2157 | 0.00 | — | 0.03 | May 20, 2011 | The (1) Admin/frmEmailReportSettings.aspx and (2) Admin/frmGeneralSettings.aspx components in the SmarterTools SmarterStats 6.0 web server generate web pages containing e-mail addresses, which allows remote attackers to obtain potentially sensitive information by reading the… | |||
| CVE-2011-2156 | 0.00 | — | 0.03 | May 20, 2011 | The SmarterTools SmarterStats 6.0 web server allows remote attackers to obtain directory listings via a direct request for the (1) Admin/, (2) Admin/Defaults/, (3) Admin/GettingStarted/, (4) Admin/Popups/, (5) App_Themes/, (6) Client/, (7) Client/Popups/, (8) Services/, (9)… | |||
| CVE-2011-2155 | 0.00 | — | 0.04 | May 20, 2011 | Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ctl00$MPH$txtPassword password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation. | |||
| CVE-2011-2154 | 0.00 | — | 0.03 | May 20, 2011 | login.aspx in the SmarterTools SmarterStats 6.0 web server does not include the HTTPOnly flag in a Set-Cookie header for the loginsettings cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | |||
| CVE-2011-2153 | 0.00 | — | 0.02 | May 20, 2011 | Login.aspx in the SmarterTools SmarterStats 6.0 web server supports URLs containing txtUser and txtPass parameters in the query string, which makes it easier for context-dependent attackers to discover credentials by reading (1) web-server access logs, (2) web-server Referer… | |||
| CVE-2011-2152 | 0.00 | — | 0.03 | May 20, 2011 | The SmarterTools SmarterStats 6.0 web server generates web pages containing external links in response to GET requests with query strings for (1) Client/frmViewReports.aspx or (2) UserControls/Popups/frmHelp.aspx, which makes it easier for remote attackers to obtain sensitive… | |||
| CVE-2011-2151 | 0.00 | — | 0.03 | May 20, 2011 | The (1) Admin/frmEmailReportSettings.aspx, (2) Admin/frmGeneralSettings.aspx, (3) Admin/frmSite.aspx, (4) Client/frmUser.aspx, and (5) Login.aspx components in the SmarterTools SmarterStats 6.0 web server accept cleartext passwords, which makes it easier for remote attackers to… | |||
| CVE-2011-2150 | 0.00 | — | 0.03 | May 20, 2011 | The SmarterTools SmarterStats 6.0 web server does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error and daemon pause) via vectors involving (1) certain cookies in a… | |||
| CVE-2011-2149 | 0.00 | — | 0.02 | May 20, 2011 | Multiple SQL injection vulnerabilities in the SmarterTools SmarterStats 6.0 web server allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) Admin/frmSite.aspx, (2) Default.aspx, (3) Services/SiteAdmin.asmx, or (4) Client/frmViewReports.aspx;… | |||
| CVE-2011-2148 | 0.00 | — | 0.05 | May 20, 2011 | Admin/frmSite.aspx in the SmarterTools SmarterStats 6.0 web server allows remote attackers to execute arbitrary commands via vectors involving a leading and trailing & (ampersand) character, and (1) an STTTState cookie, (2) the ctl00%24MPH%24txtAdminNewPassword_SettingText… | |||
| CVE-2009-4995 | 0.00 | — | 0.01 | Aug 25, 2010 | Cross-site scripting (XSS) vulnerability in frmTickets.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the email address field. NOTE: the provenance of this information is unknown; the details are obtained… | |||
| CVE-2009-4994 | 0.00 | — | 0.01 | Aug 25, 2010 | Cross-site scripting (XSS) vulnerability in frmKBSearch.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the search parameter. | |||
| CVE-2004-2585 | 0.00 | — | 0.01 | Dec 31, 2004 | Cross-site scripting (XSS) vulnerability in frmCompose.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to inject arbitrary web script or HTML via Javascript to the "check spelling" feature in the compose area. | |||
| CVE-2004-2586 | 0.00 | — | 0.02 | Dec 31, 2004 | Directory traversal vulnerability in frmGetAttachment.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to read arbitrary files via the filename parameter. |
- risk 0.53cvss 8.1epss 0.00
SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak…
- risk 0.47cvss 7.2epss 0.00
SmarterTools SmarterMail before 9526 allows XSS via MAPI requests.
- risk 0.43cvss 6.1epss 0.02
SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP Logfiles from URL /Data/Reports/ReferringURLsWithQueries resulting in Stored Cross Site Scripting.
- risk 0.38cvss 5.9epss 0.00
SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to…
- risk 0.28cvss —epss 0.85
Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.
- risk 0.25cvss —epss 0.88
SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be…
- risk 0.25cvss —epss 0.96
SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system…
- CVE-2019-7214Apr 24, 2019risk 0.10cvss —epss 0.83
SmarterTools SmarterMail 16.x before build 6985 allows deserialization of untrusted data. An unauthenticated attacker could run commands on the server when port 17001 was remotely accessible. This port is not accessible remotely by default after applying the Build 6985 patch.
- CVE-2022-24384Mar 14, 2022risk 0.04cvss —epss 0.04
Cross-site Scripting (XSS) vulnerability in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.
- CVE-2012-2578Sep 19, 2012risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in SmarterMail 9.2 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a JavaScript alert function used in conjunction with the fromCharCode method, (2) a SCRIPT element, (3) a…
- CVE-2010-3486Sep 22, 2010risk 0.03cvss —epss 0.03
Directory traversal vulnerability in FileStorageUpload.ashx in SmarterMail 7.1.3876 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash), (2) %5C (encoded backslash), or (3) %255c (double-encoded backslash) in the name parameter.
- CVE-2010-3425Sep 16, 2010risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in UserControls/Popups/frmHelp.aspx in SmarterStats 5.3, 5.3.3819, and possibly other 5.3 versions, allows remote attackers to inject arbitrary web script or HTML via the url parameter.
- CVE-2008-1854Apr 16, 2008risk 0.03cvss —epss 0.03
Unspecified vulnerability in SmarterMail Web Server (SMWebSvr.exe) in SmarterMail 5.0.2999 allows remote attackers to cause a denial of service (service termination) via a long HTTP (1) GET, (2) HEAD, (3) PUT, (4) POST, or (5) TRACE request. NOTE: the provenance of this…
- CVE-2008-0872Feb 21, 2008risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in SmarterTools SmarterMail Enterprise 4.3 allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute of an element in the Subject field of an e-mail message.
- CVE-2019-7213Apr 24, 2019risk 0.01cvss —epss 0.42
SmarterTools SmarterMail 16.x before build 6985 allows directory traversal. An authenticated user could delete arbitrary files or could create files in new folders in arbitrary locations on the mail server. This could lead to command execution on the server for instance by…
- CVE-2026-25067Jan 29, 2026risk 0.00cvss —epss 0.00
SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows…
- CVE-2020-36926Jan 15, 2026risk 0.00cvss —epss 0.00
SmarterTrack 7922 contains an information disclosure vulnerability in the Chat Management search form that reveals agent identification details. Attackers can access the vulnerable /Management/Chat/frmChatSearch.aspx endpoint to retrieve agents' first and last names along with…
- CVE-2023-48115Dec 21, 2023risk 0.00cvss —epss 0.00
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request.
- CVE-2023-48114Dec 21, 2023risk 0.00cvss —epss 0.00
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an…
- CVE-2023-48116Dec 21, 2023risk 0.00cvss —epss 0.00
SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment.
- CVE-2022-24387Mar 14, 2022risk 0.00cvss —epss 0.01
With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010
- CVE-2022-24386Mar 14, 2022risk 0.00cvss —epss 0.01
Stored XSS in SmarterTools SmarterTrack This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.
- CVE-2022-24385Mar 14, 2022risk 0.00cvss —epss 0.01
A Direct Object Access vulnerability in SmarterTools SmarterTrack leads to information disclosure This issue affects: SmarterTools SmarterTrack 100.0.8019.14010.
- CVE-2021-43977Nov 17, 2021risk 0.00cvss —epss 0.01
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows XSS.
- CVE-2021-32234Nov 17, 2021risk 0.00cvss —epss 0.02
SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows remote code execution.
- CVE-2021-40377Sep 8, 2021risk 0.00cvss —epss 0.00
SmarterTools SmarterMail 16.x before build 7866 has stored XSS. The application fails to sanitize email content, thus allowing one to inject HTML and/or JavaScript into a page that will then be processed and stored by the application.
- CVE-2020-29548Aug 17, 2021risk 0.00cvss —epss 0.01
An issue was discovered in SmarterTools SmarterMail through 100.0.7537. Meddler-in-the-middle attackers can pipeline commands after a POP3 STLS command, injecting plaintext commands into an encrypted user session.
- CVE-2021-32233Jul 5, 2021risk 0.00cvss —epss 0.01
SmarterTools SmarterMail before Build 7776 allows XSS.
- CVE-2019-7212Apr 24, 2019risk 0.00cvss —epss 0.01
SmarterTools SmarterMail 16.x before build 6985 has hardcoded secret keys. An unauthenticated attacker could access other users’ emails and file attachments. It was also possible to interact with mailing lists.
- CVE-2019-7211Apr 24, 2019risk 0.00cvss —epss 0.01
SmarterTools SmarterMail 16.x before build 6995 has stored XSS. JavaScript code could be executed on the application by opening a malicious email or when viewing a malicious file attachment.
- CVE-2015-9276Jan 16, 2019risk 0.00cvss —epss 0.01
SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS by bypassing the anti-XSS mechanisms. It was possible to run JavaScript code when a victim user opens or replies to the attacker's email, which contained a malicious payload. Therefore, users' passwords could…
- CVE-2011-4752Dec 16, 2011risk 0.00cvss —epss 0.02
SmarterTools SmarterStats 6.2.4100 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving frmCustomReport.aspx and certain other files. NOTE: it is possible…
- CVE-2011-4751Dec 16, 2011risk 0.00cvss —epss 0.01
SmarterTools SmarterStats 6.2.4100 generates web pages containing external links in response to GET requests with query strings for frmGettingStarted.aspx, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2)…
- CVE-2011-4750Dec 16, 2011risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in SmarterTools SmarterStats 6.2.4100 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by Default.aspx and certain other files.
- CVE-2011-2159May 20, 2011risk 0.00cvss —epss 0.04
The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/Defaults/frmDefaultSiteSettings.aspx, (2)…
- CVE-2011-2158May 20, 2011risk 0.00cvss —epss 0.04
The SmarterTools SmarterStats 6.0 web server sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/frmSite.aspx, (2) Admin/frmSites.aspx, (3)…
- CVE-2011-2157May 20, 2011risk 0.00cvss —epss 0.03
The (1) Admin/frmEmailReportSettings.aspx and (2) Admin/frmGeneralSettings.aspx components in the SmarterTools SmarterStats 6.0 web server generate web pages containing e-mail addresses, which allows remote attackers to obtain potentially sensitive information by reading the…
- CVE-2011-2156May 20, 2011risk 0.00cvss —epss 0.03
The SmarterTools SmarterStats 6.0 web server allows remote attackers to obtain directory listings via a direct request for the (1) Admin/, (2) Admin/Defaults/, (3) Admin/GettingStarted/, (4) Admin/Popups/, (5) App_Themes/, (6) Client/, (7) Client/Popups/, (8) Services/, (9)…
- CVE-2011-2155May 20, 2011risk 0.00cvss —epss 0.04
Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ctl00$MPH$txtPassword password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation.
- CVE-2011-2154May 20, 2011risk 0.00cvss —epss 0.03
login.aspx in the SmarterTools SmarterStats 6.0 web server does not include the HTTPOnly flag in a Set-Cookie header for the loginsettings cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
- CVE-2011-2153May 20, 2011risk 0.00cvss —epss 0.02
Login.aspx in the SmarterTools SmarterStats 6.0 web server supports URLs containing txtUser and txtPass parameters in the query string, which makes it easier for context-dependent attackers to discover credentials by reading (1) web-server access logs, (2) web-server Referer…
- CVE-2011-2152May 20, 2011risk 0.00cvss —epss 0.03
The SmarterTools SmarterStats 6.0 web server generates web pages containing external links in response to GET requests with query strings for (1) Client/frmViewReports.aspx or (2) UserControls/Popups/frmHelp.aspx, which makes it easier for remote attackers to obtain sensitive…
- CVE-2011-2151May 20, 2011risk 0.00cvss —epss 0.03
The (1) Admin/frmEmailReportSettings.aspx, (2) Admin/frmGeneralSettings.aspx, (3) Admin/frmSite.aspx, (4) Client/frmUser.aspx, and (5) Login.aspx components in the SmarterTools SmarterStats 6.0 web server accept cleartext passwords, which makes it easier for remote attackers to…
- CVE-2011-2150May 20, 2011risk 0.00cvss —epss 0.03
The SmarterTools SmarterStats 6.0 web server does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error and daemon pause) via vectors involving (1) certain cookies in a…
- CVE-2011-2149May 20, 2011risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in the SmarterTools SmarterStats 6.0 web server allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) Admin/frmSite.aspx, (2) Default.aspx, (3) Services/SiteAdmin.asmx, or (4) Client/frmViewReports.aspx;…
- CVE-2011-2148May 20, 2011risk 0.00cvss —epss 0.05
Admin/frmSite.aspx in the SmarterTools SmarterStats 6.0 web server allows remote attackers to execute arbitrary commands via vectors involving a leading and trailing & (ampersand) character, and (1) an STTTState cookie, (2) the ctl00%24MPH%24txtAdminNewPassword_SettingText…
- CVE-2009-4995Aug 25, 2010risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in frmTickets.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the email address field. NOTE: the provenance of this information is unknown; the details are obtained…
- CVE-2009-4994Aug 25, 2010risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in frmKBSearch.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the search parameter.
- CVE-2004-2585Dec 31, 2004risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in frmCompose.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to inject arbitrary web script or HTML via Javascript to the "check spelling" feature in the compose area.
- CVE-2004-2586Dec 31, 2004risk 0.00cvss —epss 0.02
Directory traversal vulnerability in frmGetAttachment.aspx in SmarterTools SmarterMail 1.6.1511 and 1.6.1529 allows remote attackers to read arbitrary files via the filename parameter.
Page 1 of 2