Icewarp: Security Vulnerabilities
IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to contain a SQL injection vulnerability via the search parameter at /webmail/server/webmail.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-08-23
Cross Site Scripting (XSS) in Webmail Calender in IceWarp WebClient 10.3.5 allows remote attackers to inject arbitrary web script or HTML via the "p4" field.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-07-07
IceWarp 11.4.5.0 allows XSS via the language parameter.
CVSS Score
6.1
EPSS Score
0.079
Published
2020-11-02
IceWarp Email Server 12.3.0.1 has Incorrect Access Control for user accounts.
CVSS Score
6.5
EPSS Score
0.007
Published
2020-07-15
IceWarp Email Server 12.3.0.1 allows remote attackers to upload files and consume disk space.
CVSS Score
6.5
EPSS Score
0.024
Published
2020-07-15
IceWarp Email Server 12.3.0.1 allows remote attackers to upload JavaScript files that are dangerous for clients to access.
CVSS Score
8.8
EPSS Score
0.03
Published
2020-07-15
In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webmail/ color parameter.
CVSS Score
6.1
EPSS Score
0.383
Published
2020-02-01
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 1 of 2) in notes for contacts.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-01-06
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-01-06
IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (script to basic/minimizer/index.php) is not properly sanitised and can therefore be exploited to browse the partition where IceWarp is installed (or the whole system) and read arbitrary files.
CVSS Score
7.5
EPSS Score
0.019
Published
2019-10-11