Directory Traversal Vulnerabilities in IceWarp Mail Server by IceWarp
CVE-2015-1503

7.5HIGH

Key Information:

Vendor

Icewarp

Status
Mail Server
Vendor
CVE Published:
8 May 2018

What is CVE-2015-1503?

Multiple directory traversal vulnerabilities exist in IceWarp Mail Server versions before 11.2. These vulnerabilities enable remote attackers to exploit the application by manipulating file parameters, allowing them to read arbitrary files from the server. Specifically, an attacker can utilize a .. (dot dot) sequence in the file parameter directed at the css.php page within the webmail/client/skins/default/css directory, or by using a .../ (dot dot dot slash dot) sequence in the script or style parameters aimed at the webmail/old/calendar/minimizer/index.php page.

References

https://www.trustwave.com/Resources/Security-Advisories/A...
x_refsource_MISC
http://packetstormsecurity.com/files/147505/IceWarp-Mail-...
x_refsource_MISC
https://www.exploit-db.com/exploits/44587/
exploitx_refsource_EXPLOIT-DB

EPSS Score

91% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.