Advertisement
Guest User

Vulnerabilities on MailEnable

a guest
Dec 17th, 2022
4,240
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.00 KB | None | 0 0
  1. Vendor: MailEnable
  2. Vendor URL: https://www.mailenable.com/
  3. Versions affected: MailEnable in Webmail Module for versions 10.41, 9.84, 8.64 and earlier
  4. Systems Affected: tested on v10.41 Standard Edition, but all versions have been patched
  5.  
  6. Advisory URL / CVE Identifier: CVE-2022-42135, CVE-2022-42136
  7. https://www.mailenable.com/Professional-ReleaseNotes.txt
  8. https://www.mailenable.com/Enterprise-ReleaseNotes.txt
  9. https://www.mailenable.com/Premium-ReleaseNotes.txt
  10. https://www.mailenable.com/Standard-ReleaseNotes9.txt
  11. https://www.mailenable.com/Standard-ReleaseNotes8.txt
  12. https://www.mailenable.com/kb/content/article.asp?ID=ME020737
  13.  
  14. Risk: Critical, High
  15.  
  16. Summary
  17. The MailEnable application is a popular mail server with rich features for normal and administrative users. This application mainly uses the.NET Framework. The following vulnerabilities were discovered in the MailEnable application on webmail module:
  18.  
  19. Critical - CVE-2022-42135: Incorrect Access Controls, patched by 10.42
  20. High - CVE-2022-42136: Directory Traversal, patched by 10.42
  21.  
  22. Impacts and Brief Details
  23.  
  24. Incorrect Access Controls (CVE-2022-42135).
  25. The MailEnable solution did not use appropriate access control on specific requests. An authenticated mail user, could submit a crafted request and activate specific privileged services. As a result, the attacker could activate those services and execute RCE commands.
  26.  
  27. Directory Traversal (CVE-2022-42136).
  28. Authenticated mail users, under specific circumstances, could add files with unsanitized content in public folders where the IIS user had permission to access. That action, could lead an attacker to store arbitrary code on that files and execute RCE commands.
  29.  
  30. Recommendation
  31. Install the latest application patch (at least 10.42). The 10.42 patch that was released on 07/10/2022 should be sufficient to stop most of the reported vulnerabilities including all critical and high risk issues. However, it is highly recommended to update to the highest published version (currently 10.43).
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement