Ron Ott

**Name of the Vulnerable Software and Affected Versions** IceWarp Webclient versions prior to 10.2.1 **Description** The issue allows for directory traversal, potentially resulting in the loss of confidential data from IceWarp Mailserver and the operating system. Input passed via the ` c` parameter to "basic/index.html" is not properly sanitized, enabling exploitation to browse the partition where IceWarp is installed and read arbitrary files. **Recommendations** For versions prior to 10.2.1, update to version 10.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "basic/index.html" endpoint to minimize the risk of exploitation. Avoid using the ` c` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** IceWarp Webclient versions 10.2.0 through 10.2.0 **Description** The issue is related to a persistent XSS vulnerability via an HTTP POST request to the "admin/login.html" endpoint with the `username` parameter. **Recommendations** For IceWarp Webclient version 10.2.0, update to version 10.2.1 to resolve the issue. As a temporary workaround, consider restricting access to the "admin/login.html" endpoint until a patch is available. Avoid using the `username` parameter in the affected endpoint until the issue is resolved.