Scorpsec

**Name of the Vulnerable Software and Affected Versions** AfterLogic Aurora versions 7.7.9 and earlier WebMail Pro versions 7.7.9 and earlier **Description** An issue allows directory traversal to read files, such as a `settings.xml` file containing admin panel credentials. This can be demonstrated by accessing the "dav/server.php/files/personal/%2e%2e" endpoint using the `caldav public user` account with `caldav public user` as its password. **Recommendations** For AfterLogic Aurora versions 7.7.9 and earlier, update to a version that fixes the directory traversal issue. For WebMail Pro versions 7.7.9 and earlier, update to a version that fixes the directory traversal issue. As a temporary workaround, consider restricting access to the `dav/server.php/files/personal/` endpoint to minimize the risk of exploitation.