Icewarp: >> Mail Server >> 11.4.0 Security Vulnerabilities
HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. By modifying the Host header and adding a payload, arbitrary JavaScript code can be executed on page load. The user must interact with a malicious link to be redirected.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-05-16
Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-05-16
Open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to redirect a user to any domain by sending a malicious URL to the victim, for example “ https://icewarp.domain.com//<MALICIOUS_DOMAIN>/%2e%2e” https://icewarp.domain.com///%2e%2e” . This vulnerability has been tested in Firefox.
CVSS Score
6.1
EPSS Score
0.003
Published
2025-05-16
Open Redirect vulnerability exists in IceWarp MailServer IceWarp Server Deep Castle 2 Update 1 (13.0.1.2) via the referer parameter.
CVSS Score
6.1
EPSS Score
0.096
Published
2023-07-27
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 1 of 2) in notes for contacts.
CVSS Score
6.1
EPSS Score
0.003
Published
2020-01-06
IceWarp WebMail Server 12.2.0 and 12.1.x before 12.2.1.1 (and probably earlier versions) allows XSS (issue 2 of 2) in notes for objects.
CVSS Score
5.4
EPSS Score
0.003
Published
2020-01-06
In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field.
CVSS Score
6.1
EPSS Score
0.004
Published
2018-09-01