Vulnerabilities on MailEnable

Vendor: MailEnable
Vendor URL: https://www.mailenable.com/
Versions affected: MailEnable in Webmail Module for versions 10.41, 9.84, 8.64 and earlier
Systems Affected: tested on v10.41 Standard Edition, but all versions have been patched

Advisory URL / CVE Identifier: CVE-2022-42135, CVE-2022-42136
https://www.mailenable.com/Professional-ReleaseNotes.txt
https://www.mailenable.com/Enterprise-ReleaseNotes.txt
https://www.mailenable.com/Premium-ReleaseNotes.txt
https://www.mailenable.com/Standard-ReleaseNotes9.txt
https://www.mailenable.com/Standard-ReleaseNotes8.txt
https://www.mailenable.com/kb/content/article.asp?ID=ME020737

Risk: Critical, High

Summary
The MailEnable application is a popular mail server with rich features for normal and administrative users. This application mainly uses the.NET Framework. The following vulnerabilities were discovered in the MailEnable application on webmail module:

Critical - CVE-2022-42135: Incorrect Access Controls, patched by 10.42
High - CVE-2022-42136: Directory Traversal, patched by 10.42

Impacts and Brief Details

Incorrect Access Controls (CVE-2022-42135).
The MailEnable solution did not use appropriate access control on specific requests. An authenticated mail user, could submit a crafted request and activate specific privileged services. As a result, the attacker could activate those services and execute RCE commands.

Directory Traversal (CVE-2022-42136).
Authenticated mail users, under specific circumstances, could add files with unsanitized content in public folders where the IIS user had permission to access. That action, could lead an attacker to store arbitrary code on that files and execute RCE commands.

Recommendation
Install the latest application patch (at least 10.42). The 10.42 patch that was released on 07/10/2022 should be sufficient to stop most of the reported vulnerabilities including all critical and high risk issues. However, it is highly recommended to update to the highest published version (currently 10.43).