Piotr Karolak

**Name of the Vulnerable Software and Affected Versions** IceWarp Mail Server versions prior to 11.2 **Description** The issue allows remote attackers to read arbitrary files. This can be achieved by exploiting directory traversal vulnerabilities, specifically by using a '..' (dot dot) in the file parameter to the "webmail/client/skins/default/css/css.php" page or by using a '../.' (dot dot dot slash dot) in the script or style parameter to the "webmail/old/calendar/minimizer/index.php" page. **Recommendations** For versions prior to 11.2, update to version 11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable pages, such as "webmail/client/skins/default/css/css.php" and "webmail/old/calendar/minimizer/index.php", until a patch is available.