Primary

Context

GFI KerioConnect Cross-Site Scripting Vulnerability in File Upload Component

Vulnerability

A cross-site scripting vulnerability has been identified in GFI KerioConnect version 10.0.6. The issue arises from an unknown function in the file upload component, where user-controlled input is not properly sanitized before being displayed on the web page. This vulnerability can be exploited remotely and requires user interaction.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a file containing a malicious JavaScript code in its name through the file upload feature. The system will display the file name on the page within the input field without proper sanitization, creating an opportunity for cross-site scripting.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GFI KerioConnect Cross-Site Scripting Vulnerability in File Upload Component

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating