Impact
Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method.
This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed.
Patches
Fixed in 3.3.5 and higher.
Workarounds
If you don't use the legacy API to deliver messages, exposure to this is limited because the SMTP server sanitizes < and > characters.
Impact
Postal versions less than 3.3.5 had a HTML injection vulnerability that allowed unescaped data to be included in the admin interface. The primary way for unescaped data to be added is via the API's "send/raw" method.
This could allow arbitrary HTML to be injected in to the page which may modify the page in a misleading way or allow for unauthorised javascript to be executed.
Patches
Fixed in 3.3.5 and higher.
Workarounds
If you don't use the legacy API to deliver messages, exposure to this is limited because the SMTP server sanitizes
<and>characters.