CVE-2026-23604
📋 TL;DR
This stored XSS vulnerability in GFI MailEssentials AI allows authenticated users to inject malicious scripts into the keyword filtering rule creation interface. When administrators view these rules, the scripts execute in their browser context, potentially compromising their accounts. Organizations using GFI MailEssentials AI versions before 22.4 are affected.
💻 Affected Systems
- GFI MailEssentials AI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as the administrator (including creating new admin accounts), and potentially pivot to other systems in the network.
Likely Case
Attackers with authenticated access could steal session tokens to hijack administrator accounts, leading to unauthorized access to email security configurations and sensitive data.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the web interface and knowledge of the vulnerable parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4 or later
Vendor Advisory: https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
Restart Required: Yes
Instructions:
1. Download GFI MailEssentials AI version 22.4 or later from the vendor portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the GFI MailEssentials service after installation completes.
🔧 Temporary Workarounds
Input Validation via WAF
allConfigure web application firewall to block requests containing script tags or JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter.
Restrict User Permissions
windowsLimit which users can create keyword filtering rules to only trusted administrators.
🧯 If You Can't Patch
- Implement strict input validation on the MailEssentials server to sanitize all user-supplied data in rule names.
- Apply Content Security Policy headers to restrict script execution in the management interface.
🔍 How to Verify
Check if Vulnerable:
Check if GFI MailEssentials AI version is below 22.4 in the product's About or Help section.Check Version:
Not applicable - check version through GFI MailEssentials AI web interface.Verify Fix Applied:
After upgrading to version 22.4 or later, attempt to inject script tags in the rule name field and verify they are properly encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual rule creation activity
- Rule names containing script tags or JavaScript code
Network Indicators:
- HTTP POST requests to /MailEssentials/pages/MailSecurity/contentchecking.aspx with script content in parameters
SIEM Query:
source="gfi_mailessentials" AND (uri_path="/MailEssentials/pages/MailSecurity/contentchecking.aspx" AND (param_value CONTAINS "<script>" OR param_value CONTAINS "javascript:"))