Cross-Site Scripting in Icewarp Mail Server by Icewarp
CVE-2025-40632

2LOW

Key Information:

Vendor: Icewarp
Status: Icewarp Mail Server
Vendor: CVE Published:; 16 May 2025

What is CVE-2025-40632?

A cross-site scripting vulnerability exists in Icewarp Mail Server version 11.4.0, which enables attackers to inject malicious JavaScript into a user's browser. This can occur through the manipulation of the 'lastLogin' cookie, posing a significant risk to user security as the injected script executes when the web page is rendered.

Affected Version(s)

Icewarp Mail Server 11.4.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

B3xal

JSON