Icewarp: Security Vulnerabilities
IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index.php?style=..%5c directory traversal.
CVSS Score
7.5
EPSS Score
0.751
Published
2019-06-03
In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-09-01
Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in IceWarp Mail Server 12.0.3 allows remote attackers to inject arbitrary web script or HTML.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-06-30
Multiple directory traversal vulnerabilities in IceWarp Mail Server before 11.2 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the file parameter to a webmail/client/skins/default/css/css.php page or .../. (dot dot dot slash dot) in the (2) script or (3) style parameter to webmail/old/calendar/minimizer/index.php.
CVSS Score
7.5
EPSS Score
0.912
Published
2018-05-08
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter.
CVSS Score
6.1
EPSS Score
0.005
Published
2017-08-31
Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated domain administrators to inject arbitrary web script or HTML via a crafted user name.
CVSS Score
4.8
EPSS Score
0.002
Published
2017-08-23
server/webmail.php in IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference.
CVSS Score
6.4
EPSS Score
0.106
Published
2011-09-30
IceWarp WebMail in IceWarp Mail Server before 10.3.3 allows remote attackers to obtain configuration information via a direct request to the /server URI, which triggers a call to the phpinfo function.
CVSS Score
5.0
EPSS Score
0.004
Published
2011-09-30
Multiple cross-site scripting (XSS) vulnerabilities in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the body of a message, related to the email view and incorrect HTML filtering in the cleanHTML function in server/inc/tools.php; or the (2) title, (3) link, or (4) description element in an RSS feed, related to the getHTML function in server/inc/rss/item.php.
CVSS Score
4.3
EPSS Score
0.054
Published
2009-05-05
Multiple SQL injection vulnerabilities in the search form in server/webmail.php in the Groupware component in IceWarp eMail Server and WebMail Server before 9.4.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) sql and (2) order_by elements in an XML search query.
CVSS Score
6.5
EPSS Score
0.003
Published
2009-05-05