CVE-2020-23776

Name of the Vulnerable Software and Affected Versions: Winmail version 6.5

Description: A Server-Side Request Forgery (SSRF) issue exists in the app.php file, specifically in the key parameter when HTTPS is enabled. This allows an attacker to manipulate the server into sending a request to a specific URL. Furthermore, an attacker can modify the HOST value in the request header to control where the server sends the request.

Recommendations: For Winmail version 6.5, as a temporary workaround, consider restricting access to the app.php file or disabling the key parameter when HTTPS is on until a patch is available. Additionally, restrict modifications to the HOST header value to prevent unauthorized requests.