CVE-2020-14065
https://notcve.org/view.php?id=CVE-2020-14065
IceWarp Email Server 12.3.0.1 allows remote attackers to upload files and consume disk space. IceWarp Email Server versión 12.3.0.1, permite a atacantes remotos cargar archivos y consumir espacio en disco • https://github.com/pinpinsec/CVE-2020-14065 https://github.com/networksecure/CVE-2020-14065 https://github.com/networksecure/icewarp_unlimited_file_upload https://www.icewarp.com/download-premise/server • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-14064
https://notcve.org/view.php?id=CVE-2020-14064
IceWarp Email Server 12.3.0.1 has Incorrect Access Control for user accounts. IceWarp Email Server versión 12.3.0.1, presenta un Control de Acceso Incorrecto para las cuentas de usuario • https://github.com/networksecure/CVE-2020-14064 https://github.com/networksecure/Icewarp_incorrect_access_control https://www.icewarp.com/download-premise/server • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2019-19266 – IceWarp 12.2.0 / 12.1.x Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-19266
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects. IceWarp WebMail Server versión 12.2.0 y versiones 12.1.x anteriores a la versión 12.2.1.1 (y probablemente versiones anteriores), permite un ataque de tipo XSS (problema 2 de 2) en notas para objetos. IceWarp versions 12.2.0 and 12.1.x suffer from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2020/Jan/1 https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-016/-icewarp-cross-site-scripting-in-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-19265 – IceWarp 12.2.0 / 12.1.x Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-19265
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 1 of 2) in notes for contacts. IceWarp WebMail Server versiones 12.2.0 y versiones 12.1.x anteriores a la versión 12.2.1.1 (y probablemente versiones anteriores), permite un ataque de tipo XSS (problema 1 de 2) en notas para contactos. IceWarp versions 12.2.0 and 12.1.x suffer from a cross site scripting vulnerability in notes for contacts. • http://seclists.org/fulldisclosure/2020/Jan/0 https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-015/-icewarp-cross-site-scripting-in-notes-for-contacts • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12593 – IceWarp 10.4.4 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2019-12593
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal. En IceWarp Mail Server hasta la versión 10.4.4 un salto de directorio permite una vulnerabilidad de inclusión de archivos locales mediante webmail / calendar / minimizer / index.php? Style = ..% 5c IceWarp versions 10.4.4 and below suffer from a local file inclusion vulnerability. • https://www.exploit-db.com/exploits/46959 http://packetstormsecurity.com/files/153161/IceWarp-10.4.4-Local-File-Inclusion.html https://github.com/JameelNabbo/exploits/blob/master/IceWarp%20%3C%3D10.4.4%20local%20file%20include.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •