This vulnerability in DuoGeek Email to Download (<= 3.1.0) is caused by improper neutralization of input during web page generation, resulting in a reflected Cross-site Scripting (XSS) flaw. An attacker can craft a malicious link or input that, when processed by the vulnerable application, causes arbitrary script execution in the victim's browser. The CVSS v3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and impacts to confidentiality, integrity, and availability at low to low levels.

Successful exploitation can allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to theft of user credentials, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. However, no known exploits have been reported in the wild to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted input and consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts. Monitor vendor communications for updates on patches or official mitigations.