The reported vulnerability is a "Clickjacking" vulnerability and is present in the email preview feature of Kerio Connect version 8 and version 9.
The vulnerability is a risk to users that have their mailbox on Kerio Connect, are logged into Kerio Connect and are using email preview functionality. The risk is that an attacker could insert a malicious link into an email which could trick the user into clicking a button, or a link to a web page, that takes them out of the Kerio Connect User Interface.
Reported by Remco Verhoef @remco_verhoef (email@example.com).
An attacker could send a specially crafted HTML email to a victim using Kerio Connect. When displayed in Kerio Connect client web application or desktop application the attacker can trick a user into clicking a button or link on a page other than the one they believe they are clicking.
A fix for this vulnerability is available for Kerio Connect as of version 9.2.3. You can download the latest release of Kerio Connect from here.
Protection Mechanism Failure (CWE-693)