Vulnerability Details CVE-2019-12924
MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 5.0
References
- http://www.mailenable.com/Premium-ReleaseNotes.txt
- https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-mailenable/
- http://www.mailenable.com/Premium-ReleaseNotes.txt
- https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-mailenable/
Products affected by CVE-2019-12924
-
cpe:2.3:a:mailenable:mailenable:*