CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-12844
https://notcve.org/view.php?id=CVE-2017-12844
Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name. Una vulnerabilidad Cross-Site Scripting (XSS) en en panel de administrador en IceWarp Mail Server 10.4.4 permite que administradores del dominio remotos autenticados inyecten scripts web o HTLM arbitrarios mediante un nombre de usuario manipulado. • https://youtu.be/MI4dhEia1d4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 2%CPEs: 20EXPL: 4CVE-2011-3579 – IceWarp Mail Server 10.3.2 server/webmail.php Soap Message Parsing - Arbitrary File Disclosure
https://notcve.org/view.php?id=CVE-2011-3579
server/webmail.php in IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference. server/webmail.php en IceWarp WebMail en el servidor de correo IceWarp anteriores a v10.3.3 permite a atacantes remotos leer ficheros arbitrarios, y posiblemente enviar peticiones HTTP a los servidores de la intranet o causar una denegación de servicio (Agotamiento de CPU y de memoria), a través de una entidad externa XML declaración en relación con una referencia de entidad. IceWarp Mail Server versions 10.3.2 and below suffer from XML external entity injection and PHP information disclosure vulnerabilities. • https://www.exploit-db.com/exploits/36165 http://archives.neohapsis.com/archives/bugtraq/2011-09/0145.html http://securityreason.com/securityalert/8404 http://securitytracker.com/id?1026093 http://www.osvdb.org/75721 http://www.securityfocus.com/bid/49753 https://exchange.xforce.ibmcloud.com/vulnerabilities/70025 https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt • CWE-399: Resource Management Errors •
CVSS: 5.0EPSS: 3%CPEs: 20EXPL: 3CVE-2011-3580 – IceWarp Mail Server Injection / Information Disclosure
https://notcve.org/view.php?id=CVE-2011-3580
IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote attackers to obtain configuration information via a direct request to the /server URI, which triggers a call to the phpinfo function. IceWarp WebMail en el servidor de correo IceWarp anterirores a v10.3.3 permite a atacantes remotos obtener información de configuración a través de una petición directa a la URI /server, lo que provoca una llamada a la función phpinfo. IceWarp Mail Server versions 10.3.2 and below suffer from XML external entity injection and PHP information disclosure vulnerabilities. • http://archives.neohapsis.com/archives/bugtraq/2011-09/0145.html http://securityreason.com/securityalert/8404 http://securitytracker.com/id?1026093 http://www.osvdb.org/75722 http://www.securityfocus.com/bid/49753 https://exchange.xforce.ibmcloud.com/vulnerabilities/70026 https://www.trustwave.com/spiderlabs/advisories/TWSL2011-013.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 176EXPL: 3CVE-2009-1468 – IceWarp Merak Mail Server 9.4.1 Groupware Component - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2009-1468
Multiple SQL injection vulnerabilities in the search form in server/webmail.php in the Groupware component in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) sql and (2) order_by elements in an XML search query. Múltiples vulnerabilidades de inyección SQL en el formulario de búsqueda en server/webmail.php en el componente Groupware en IceWarp eMail Server y WebMail Server anteriores a v9.4.2 permite a usuarios remotos autenticados ejecutar comandos SQL de forma arbitraria a través de los elementos (1) sql y (2) order_by en un petición de búsqueda XML. RedTeam Pentesting discovered a remote SQL injection vulnerability in the Groupware component of IceWarp WebMail Server version 9.4.1. • https://www.exploit-db.com/exploits/32968 http://osvdb.org/54228 http://www.redteam-pentesting.de/advisories/rt-sa-2009-003 http://www.securityfocus.com/archive/1/503226/100/0/threaded http://www.securityfocus.com/bid/34820 http://www.securitytracker.com/id?1022169 http://www.vupen.com/english/advisories/2009/1253 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 1%CPEs: 176EXPL: 4CVE-2009-1467 – IceWarp Merak Mail Server 9.4.1 - 'cleanHTML()' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-1467
Multiple cross-site scripting (XSS) vulnerabilities in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the body of a message, related to the email view and incorrect HTML filtering in the cleanHTML function in server/inc/tools.php; or the (2) title, (3) link, or (4) description element in an RSS feed, related to the getHTML function in server/inc/rss/item.php. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en IceWarp eMail Server y WebMail Server anteriores a v9.4.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través de (1) el cuerpo del mensaje, relacionado con la vista del correo electrónico y el incorrecto filtrado HTML en la función "cleanHTML" en server/inc/tools.php; o (2) el titulo, (3) enlace o (4)el elemento descripción en un RSS, relacionado con la función gerHTML en server/inc/rss/item.php. RedTeam Pentesting discovered a cross site scripting vulnerability in the RSS Feed Reader functionality of the IceWarp WebMail Server version 9.4.1. • https://www.exploit-db.com/exploits/32969 https://www.exploit-db.com/exploits/32985 http://osvdb.org/54226 http://osvdb.org/54227 http://www.redteam-pentesting.de/advisories/rt-sa-2009-001 http://www.redteam-pentesting.de/advisories/rt-sa-2009-002 http://www.securityfocus.com/archive/1/503225/100/0/threaded http://www.securityfocus.com/archive/1/503229/100/0/threaded http://www.securityfocus.com/bid/34825 http://www.securitytracker.com/id?1022167 http://www. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •