Openfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting
CVE-2019-15071

6.1MEDIUM

Key Information:

Vendor
Openfind
Status
Mail2000
Vendor
CVE Published:
20 November 2019

Summary

The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.

Affected Version(s)

MAIL2000 6.0

MAIL2000 7.0

References

https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0...
x_refsource_CONFIRM
https://www.openfind.com.tw/taiwan/resource.html
x_refsource_CONFIRM
https://gist.github.com/chtsecurity/21119b393640bea1d010a...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tony Kuo (CHT Security), Vtim (CHT Security)
.