CVE-2019-15071

Name of the Vulnerable Software and Affected Versions MAIL2000 versions 6.0 and 7.0

Description The issue allows for the execution of arbitrary code via the ACTION parameter in the "/cgi-bin/go" page without requiring authentication. This can be executed for any user accessing the page. It is reported to affect many mail systems of governments, organizations, companies, and universities.

Recommendations For MAIL2000 versions 6.0 and 7.0, consider restricting access to the "/cgi-bin/go" page until a fix is available, and avoid using the ACTION parameter in this endpoint to minimize the risk of exploitation.