IlohaMail Contacts Deletion Vulnerability Network Vulnerability

Summary

The target is running at least one instance of IlohaMail version 0.7.9-RC2 or earlier. Such versions contain a flaw that enables an authenticated user to delete contacts belonging to any user provided the DB-based backend is used to store contacts. The flaw arises because ownership of 'delete_item' is not checked when deleting entries in include/save_contacts.MySQL.inc. ***** OVS has determined the vulnerability exists on the target ***** simply by looking at the version number of IlohaMail ***** installed there.

Solution

Upgrade to IlohaMail version 0.7.9 or later.

Severity

Classification

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P

Related Vulnerabilities

Apache mod_proxy_ajp Information Disclosure Vulnerability
Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
Apache ActiveMQ Multiple Vulnerabilities
Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities
Apache Tomcat NIO Connector Denial of Service Vulnerability

Take action and discover your vulnerabilities