CVE-2024-4722723.09.2024, 04:15iRedAdmin before 2.6 allows XSS, e.g., via order_name.Cross-site ScriptingEnginsightProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVectorNISTNIST6.1 MEDIUMNETWORKLOWNONECVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NmitreCNA------CISA-ADPADP6.1 MEDIUMNETWORKLOWNONECVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NBase ScoreCVSS 3.xEPSS ScorePercentile: 25%VendorProductVersioniredmailiredadmin𝑥< 2.6𝑥= Vulnerable software versionsCommon Weakness EnumerationCWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Referenceshttps://docs.iredmail.org/upgrade.iredmail.1.6.8-1.7.0.html#upgrade-iredadmin-open-source-edition-to-the-latest-stable-release-26https://github.com/iredmail/iRedAdmin/commit/3c72b438d412ea3ee0270f6956e19b1098c19191https://github.com/iredmail/iRedAdmin/commit/b537e71ecf522d7f10180f5f0aab4a98a881893ahttps://github.com/iredmail/iRedAdmin/compare/2.5...2.6https://www.iredmail.org