What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
What the vulnerability does
Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1.
Explanation of Vulnerability in Simple Terms
Zoho ZeptoMail versions 3.3.1 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in ZeptoMail user, performs unauthorized actions on their account. The attack requires the victim to visit the attacker's page while authenticated. This can lead to unauthorized changes to mail settings, account configuration, or other sensitive operations.
What an attacker can do
Perform unauthorized actions on a victim's ZeptoMail account by tricking them into visiting a malicious webpage.
Potential impact on your site
Users' ZeptoMail accounts can be compromised without their knowledge if they visit untrusted sites while logged in.
Conditions required to exploit
Victim must be logged into ZeptoMail and visit an attacker-controlled webpage.
Key dates
External resources
Related vulnerabilities