Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Vendor: MailEnable
- Vendor URL: https://www.mailenable.com/
- Versions affected: MailEnable in Webmail Module for versions 10.41, 9.84, 8.64 and earlier
- Systems Affected: tested on v10.41 Standard Edition, but all versions have been patched
- Advisory URL / CVE Identifier: CVE-2022-42135, CVE-2022-42136
- https://www.mailenable.com/Professional-ReleaseNotes.txt
- https://www.mailenable.com/Enterprise-ReleaseNotes.txt
- https://www.mailenable.com/Premium-ReleaseNotes.txt
- https://www.mailenable.com/Standard-ReleaseNotes9.txt
- https://www.mailenable.com/Standard-ReleaseNotes8.txt
- https://www.mailenable.com/kb/content/article.asp?ID=ME020737
- Risk: Critical, High
- Summary
- The MailEnable application is a popular mail server with rich features for normal and administrative users. This application mainly uses the.NET Framework. The following vulnerabilities were discovered in the MailEnable application on webmail module:
- Critical - CVE-2022-42135: Incorrect Access Controls, patched by 10.42
- High - CVE-2022-42136: Directory Traversal, patched by 10.42
- Impacts and Brief Details
- Incorrect Access Controls (CVE-2022-42135).
- The MailEnable solution did not use appropriate access control on specific requests. An authenticated mail user, could submit a crafted request and activate specific privileged services. As a result, the attacker could activate those services and execute RCE commands.
- Directory Traversal (CVE-2022-42136).
- Authenticated mail users, under specific circumstances, could add files with unsanitized content in public folders where the IIS user had permission to access. That action, could lead an attacker to store arbitrary code on that files and execute RCE commands.
- Recommendation
- Install the latest application patch (at least 10.42). The 10.42 patch that was released on 07/10/2022 should be sufficient to stop most of the reported vulnerabilities including all critical and high risk issues. However, it is highly recommended to update to the highest published version (currently 10.43).
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement