CVE-2019-12924

Name of the Vulnerable Software and Affected Versions MailEnable Enterprise Premium version 10.23

Description The issue allows an unauthenticated user to exploit an XML External Entity Injection (XXE) vulnerability in the configuration of the XML processor. This could enable an attacker to read any file on the host system. Since all credentials are stored in a cleartext file, it is possible for an attacker to steal all users' credentials, including those of the highest privileged users.

Recommendations For MailEnable Enterprise Premium version 10.23, consider disabling the XML processor or restricting its configuration to prevent XXE attacks until a patch is available. Additionally, restrict access to sensitive files on the host system to minimize the risk of credential theft.