CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39699
https://notcve.org/view.php?id=CVE-2023-39699
IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server. • https://cwe.mitre.org/data/definitions/98.html https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39700
https://notcve.org/view.php?id=CVE-2023-39700
IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color parameter. Se ha descubierto que IceWarp Mail Server v10.4.5 contiene una vulnerabilidad de Cross-Site Scripting reflejado (XSS) a través del parámetro color. • https://cwe.mitre.org/data/definitions/79.html https://drive.google.com/file/d/1QL_517UbTFJox4CXKQpP9fehR1yXRJ-y https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_%28XSS%29 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-36580
https://notcve.org/view.php?id=CVE-2021-36580
Open Redirect vulnerability exists in IceWarp MailServer IceWarp Server Deep Castle 2 Update 1 (13.0.1.2) via the referer parameter. • http://icewarp.com http://mail.ziyan.com https://medium.com/%40rohitgautam26/cve-2021-36580-69219798231c • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-23824
https://notcve.org/view.php?id=CVE-2020-23824
ArGo Soft Mail Server 1.8.8.9 is affected by Cross Site Request Forgery (CSRF) for perform remote arbitrary code execution. The component is the Administration dashboard. When using admin/user credentials, if the admin/user admin opens a website with the malicious page that will run the CSRF. ArGo Soft Mail Server versión 1.8.8.9 está afectado por una vulnerabilidad de tipo Cross Site Request Forgery (CSRF) para realizar una ejecución de código arbitraria remota. El componente es el panel de administración. • https://github.com/V1n1v131r4/CSRF-on-ArGoSoft-Mail-Server/blob/master/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-19266 – IceWarp 12.2.0 / 12.1.x Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-19266
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects. IceWarp WebMail Server versión 12.2.0 y versiones 12.1.x anteriores a la versión 12.2.1.1 (y probablemente versiones anteriores), permite un ataque de tipo XSS (problema 2 de 2) en notas para objetos. IceWarp versions 12.2.0 and 12.1.x suffer from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2020/Jan/1 https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-016/-icewarp-cross-site-scripting-in-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •