PT-2019-13969 · Mail2000 · Mail2000
Tony Kuo
+1
·
Published
2019-11-20
·
Updated
2019-11-22
·
CVE-2019-15071
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
MAIL2000 versions 6.0 and 7.0
Description
The issue allows for the execution of arbitrary code via the
ACTION parameter in the "/cgi-bin/go" page without requiring authentication. This can be executed for any user accessing the page. It is reported to affect many mail systems of governments, organizations, companies, and universities.Recommendations
For MAIL2000 versions 6.0 and 7.0, consider restricting access to the "/cgi-bin/go" page until a fix is available, and avoid using the
ACTION parameter in this endpoint to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mail2000