CVE-2005-4558

Name of the Vulnerable Software and Affected Versions IceWarp Web Mail version 5.5.1 Merak Mail Server version 8.3.0r VisNetic Mail Server version 8.3.0 build 1

Description The issue allows remote authenticated users to include arbitrary PHP code via a URL in a modified lang settings parameter to "mail/index.html". This is due to the lack of proper restriction on acceptable values for the language parameter to "mail/settings.html" before it is stored in a database.

Recommendations For IceWarp Web Mail version 5.5.1, restrict access to the lang settings parameter in the "mail/index.html" endpoint until a patch is available. For Merak Mail Server version 8.3.0r, consider disabling the modification of the language parameter to "mail/settings.html" to prevent exploitation. For VisNetic Mail Server version 8.3.0 build 1, avoid using the lang settings parameter in the "mail/index.html" endpoint until the issue is resolved.