PT-2021-16987 · Afterlogic · Afterlogic Aurora+1

Published

2021-03-04

Updated

2021-03-11

CVE-2021-26293

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions AfterLogic Aurora versions 8.5.3 and earlier WebMail Pro versions 8.5.3 and earlier

Description An issue allows directory traversal to create new files, such as an executable file under the web root, when DAV is enabled. This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x.

Recommendations For AfterLogic Aurora versions 8.5.3 and earlier, consider disabling DAV until a patch is available. For WebMail Pro versions 8.5.3 and earlier, consider disabling DAV until a patch is available. As a temporary workaround, consider restricting access to DAVServer.php and DAV/Server.php to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-26293

Affected Products

Afterlogic Aurora

Webmail Pro

PT-2021-16987 · Afterlogic · Afterlogic Aurora+1

CVE-2021-26293

Weakness Enumeration

Related Identifiers

Affected Products

References · 4