CVE-2007-2720

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 2.16-13

Description The issue allows remote attackers to obtain sensitive information via certain requests for specific API endpoints, including "message.php" and "messages.php" in the modules/email/ directory, due to improper validation of user IDs, specifically the user id variable.

Recommendations For versions prior to 2.16-13, update to version 2.16-13 or later to resolve the issue. As a temporary workaround, consider restricting access to the "message.php" and "messages.php" endpoints in the modules/email/ directory to minimize the risk of exploitation. Avoid using the user id variable in these affected API endpoints until the issue is resolved.