You can report a vulnerability at https://helpdesk.peopleinside.it You can use the live chat or the ticket system.
- SMTP command injection (CRLF) in outgoing mail recipients.
SmtpClient::extractAddress()did not strip CR/LF characters before using the value to buildRCPT TO:<...>SMTP commands. An authenticated user could craft a "To"/"Cc"/"Bcc" value containing\r\nto inject additional SMTP commands (e.g. add a hidden recipient not visible in the message headers or application logs). Fixed by stripping CR/LF/NUL at the start ofextractAddress(), consistent with the existingsanitizeHeader()helper. - HTML sanitizer: legacy
background/lowsrcattribute bypass.sanitizeHtml()did not strip the obsoletebackgroundandlowsrcHTML attributes, which old browser engines (pre-modern IE/Gecko) resolved asjavascript:URLs. Not exploitable on current browsers, but removed for defense in depth and to cover non-standard/legacy clients. These attributes have no legitimate use in HTML5 markup. - HTML sanitizer: whitespace-split
javascript:bypass instyleattributes. Astylevalue such asbackground:url(java\nscript:alert(1))evaded thejavascript:/vbscript:/expression(...)substring checks because the keyword was split by whitespace. CSS ignores such whitespace inside tokens, so the check now normalizes whitespace before testing for dangerous keywords; not exploitable on current browsers (modern engines no longer executejavascript:fromurl()), fixed for defense in depth.