Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

atmail 7 Stored XSS Vulnerability

Gauge reading medium severity


Patch Date

May 25, 2017

Reported Date

February 23, 2017



Systems Affected

atmail 7


A stored XSS vulnerability was identified in the webmail component of atmail 7. By sending a specially crafted email to a victim, an attacker can include an XSS payload to steal user contacts, send arbitrary emails, expose inbox contents, and more.

Vendor Status

This vulnerability was remediated in atmail, released on May 25, 2017. CVE-2017-11617 was issued to the vulnerability.

Disclosure timeline:

2017-02-24 – Vulnerability reported

2017-02-27 – Report acknowledged

2017-05-25 – Patch released

Exploit Availability

Full details regarding this vulnerability can be found in the accompanying blog post.


Zach Julian of Bishop Fox

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Zach julian

About the author, Zach Julian

Senior Security Consultant

Zachary Julian is a Senior Security Consultant at Bishop Fox. In this role, he specializes in web application penetration testing, source code review, and hybrid application assessments.

Zach discovered CVE-2017-11617, a stored cross-site scripting vulnerability affecting a popular webmail product, and has presented at events such as (ISC)2 Phoenix, CactusCon, and Converge Detroit. He has also been quoted on topical security issues in Forbes, Vice Motherboard, The Intercept, and eSecurityPlanet.
More by Zach

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.