CVE-2023-25267

Name of the Vulnerable Software and Affected Versions GFI Kerio Connect versions 9.4.1 patch 1 through 9.4.1 patch 1

Description An issue was discovered in the webmail component's 2FASetup function, which is vulnerable to a stack-based Buffer Overflow. This occurs via an authenticated request with a long primaryEMailAddress field to the "webmail/api/jsonrpc" URI.

Recommendations For GFI Kerio Connect version 9.4.1 patch 1, update to version 10.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the webmail component's 2FASetup function until a patch is available. Avoid using long primaryEMailAddress fields in the affected API endpoint until the issue is resolved.