CVE-2015-1503

Name of the Vulnerable Software and Affected Versions IceWarp Mail Server versions prior to 11.2

Description The issue allows remote attackers to read arbitrary files. This can be achieved by exploiting directory traversal vulnerabilities, specifically by using a '..' (dot dot) in the file parameter to the "webmail/client/skins/default/css/css.php" page or by using a '../.' (dot dot dot slash dot) in the script or style parameter to the "webmail/old/calendar/minimizer/index.php" page.

Recommendations For versions prior to 11.2, update to version 11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable pages, such as "webmail/client/skins/default/css/css.php" and "webmail/old/calendar/minimizer/index.php", until a patch is available.