PT-2019-11645 · Mailstore · Mailstore Server Service Provider Edition+1
Published
2019-12-31
·
Updated
2020-08-24
·
CVE-2019-10229
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
MailStore Server versions 9.x through 11.x before 11.2.2
MailStore Server Service Provider Edition versions 9.x through 11.x before 11.2.2
Description:
An issue allows an attacker to login as an existing user with an arbitrary password on the second login attempt when the directory service is set to Generic LDAP.
Recommendations:
For MailStore Server versions 9.x through 11.x before 11.2.2, update to version 11.2.2 or later.
For MailStore Server Service Provider Edition versions 9.x through 11.x before 11.2.2, update to version 11.2.2 or later.
As a temporary workaround, consider restricting access to the Generic LDAP directory service until a patch is available.
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mailstore Server
Mailstore Server Service Provider Edition