PT-2008-1966 · Afterlogic+1 · Afterlogic Mailbee Webmail Pro+1
-=M.O.B=-
·
Published
2008-01-17
·
Updated
2022-11-02
·
CVE-2008-0333
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
AfterLogic MailBee WebMail Pro version 4.1 for ASP.NET
Description
The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the download view attachment.aspx file. This is achieved by using a .. (dot dot) in the
temp filename parameter of the vulnerable API endpoint "download view attachment.aspx".Recommendations
For AfterLogic MailBee WebMail Pro version 4.1 for ASP.NET, consider restricting access to the
download view attachment.aspx endpoint until a patch is available, and avoid using the temp filename parameter with unvalidated input to minimize the risk of exploitation.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asp.Net
Afterlogic Mailbee Webmail Pro