Summary
The host is running IceWarp Mail Server and is prone to xml entity injection and information disclosure vulnerability.
Vulnerability:
The flaws are due to
- Certain input passed via SOAP messages to 'server/webmail.php' is not properly verified before being used. This can be exploited to disclose the contents of arbitrary files.
- An unspecified script, which calls the 'phpinfo()' function, is stored with insecure permissions inside the web root. This can be exploited to gain knowledge of sensitive information.
Impact
Successful exploitation will allow attacker to gain access to potentially sensitive information, and possibly cause denial-of-service conditions. other attacks may also be possible.
Impact Level: Application
Solution
Upgrade to IceWarp Mail Server 10.3.3 or later,
For updates refer to http://www.icewarp.com
Affected
IceWarp Mail Server 10.3.2 and prior.
References
Severity
Classification
-
CVE CVE-2011-3579, CVE-2011-3580 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:N/A:P
Related Vulnerabilities
- Apache Struts2 showcase namespace XSS Vulnerability
- Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
- Ampache Reflected Cross Site Scripting Vulnerability
- AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
- Advantech WebAccess Multiple Stack Based Buffer Overflow Vulnerabilities