CVE-2019-12593 – IceWarp 10.4.4 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2019-12593
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal. En IceWarp Mail Server hasta la versión 10.4.4 un salto de directorio permite una vulnerabilidad de inclusión de archivos locales mediante webmail / calendar / minimizer / index.php? Style = ..% 5c IceWarp versions 10.4.4 and below suffer from a local file inclusion vulnerability. • https://www.exploit-db.com/exploits/46959 http://packetstormsecurity.com/files/153161/IceWarp-10.4.4-Local-File-Inclusion.html https://github.com/JameelNabbo/exploits/blob/master/IceWarp%20%3C%3D10.4.4%20local%20file%20include.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-16324
https://notcve.org/view.php?id=CVE-2018-16324
In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field. En IceWarp Server en versiones 12.0.3.1 y anteriores, hay Cross-Site Scripting (XSS) en el campo username en /webmail/. • https://cxsecurity.com/issue/WLB-2018080098 https://packetstormsecurity.com/files/148887/IceWarp-WebMail-12.0.3.1-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-7475
https://notcve.org/view.php?id=CVE-2018-7475
Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in IceWarp Mail Server 12.0.3 allows remote attackers to inject arbitrary web script or HTML. Vulnerabilidad Cross-Site Scripting (XSS) en las URI webdav/ticket/ en IceWarp Mail Server 12.0.3 permite que atacantes remotos autenticados inyecten scripts web o HTLM. • https://0xd0ff9.wordpress.com/2018/06/21/cve-2018-7475 https://www.youtube.com/watch?v=8_3Q80JrMm4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-1503 – IceWarp Mail Server < 11.1.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-1503
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or (3) style parameter to webmail/old/calendar/minimizer/index.php. Múltiples vulnerabilidades de salto de directorio en IceWarp Mail Server en versiones anteriores a la 11.2 permiten que atacantes remotos lean archivos arbitrarios mediante (1) un .. (punto punto) en el parámetro file en una página webmail/client/skins/default/css/css.php o .../. • https://www.exploit-db.com/exploits/44587 http://packetstormsecurity.com/files/147505/IceWarp-Mail-Server-Directory-Traversal.html https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-001/?fid=5614 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-12844
https://notcve.org/view.php?id=CVE-2017-12844
Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name. Una vulnerabilidad Cross-Site Scripting (XSS) en en panel de administrador en IceWarp Mail Server 10.4.4 permite que administradores del dominio remotos autenticados inyecten scripts web o HTLM arbitrarios mediante un nombre de usuario manipulado. • https://youtu.be/MI4dhEia1d4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •