PT-2005-1410 · Desknow · Desknow Mail/Collaboration Server

Tan Chew Keong

Published

2005-02-10

Updated

2017-07-11

CVE-2005-0332

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions DeskNow Mail and Collaboration Server version 2.5.12

Description A directory traversal issue allows remote attackers to upload and possibly execute files outside the intended directory by manipulating the AttachmentsKey parameter to the "attachment.do" endpoint, or delete arbitrary files via the select file parameter to the "file.do" endpoint.

Recommendations For DeskNow Mail and Collaboration Server version 2.5.12, consider restricting access to the "attachment.do" and "file.do" endpoints until a fix is available, and avoid using the AttachmentsKey and select file parameters in these endpoints to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2005-0332

Affected Products

Desknow Mail/Collaboration Server

PT-2005-1410 · Desknow · Desknow Mail/Collaboration Server

CVE-2005-0332

Related Identifiers

Affected Products

References · 9