CVE-2018-7701

Name of the Vulnerable Software and Affected Versions: SecurEnvoy SecurMail versions prior to 9.2.501

Description: The issue allows remote attackers to hijack the authentication of arbitrary users for requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, attackers can delete e-mail messages via a delete action in a request to "secmail/getmessage.exe" or spoof arbitrary users and reply to their messages via a request to "secserver/securectrl.exe".

Recommendations: For versions prior to 9.2.501, update to version 9.2.501 or later to resolve the issue. As a temporary workaround, consider restricting access to the "secmail/getmessage.exe" and "secserver/securectrl.exe" endpoints to minimize the risk of exploitation.