CVE-2019-16414

EUVD-2019-7156
A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
Affected Products (NVD)
VendorProductVersion
gfikerio_control
9.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2019/Sep/35
https://twitter.com/haxel0rd/status/1174279811751174144
https://www.youtube.com/watch?v=ZqqR89vzZ_I
http://packetstormsecurity.com/files/154678/GFI-Kerio-Control-9.3.0-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2019/Sep/35
https://twitter.com/haxel0rd/status/1174279811751174144
https://www.youtube.com/watch?v=ZqqR89vzZ_I