CVE-2010-3486

Name of the Vulnerable Software and Affected Versions SmarterMail version 7.1.3876

Description A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by manipulating the name parameter with specific sequences, including (1) ../ (dot dot slash), (2) %5C (encoded backslash), or (3) %255c (double-encoded backslash).

Recommendations For SmarterMail version 7.1.3876, consider restricting access to the FileStorageUpload.ashx handler until a patch is available. As a temporary workaround, avoid using the name parameter in the affected API endpoint until the issue is resolved.