Eli Samara

**Name of the Vulnerable Software and Affected Versions** hMailServer version 5.8.6 **Description** An issue allows a local attacker to obtain sensitive information via the `hmailserver/installation/hMailServerInnoExtension.iss` and `hMailServer.ini` components. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** hMailServer versions 5.6.9-beta through 5.8.6 **Description** The software uses a hardcoded cryptographic key in the `Encryption.cs` file. This allows an attacker to decrypt passwords for other servers stored in the `hMailAdmin.exe.config` file, potentially granting access to other hMailServer admin consoles with configured connections. **Recommendations** Update hMailServer to a version newer than 5.8.6.