9.8
CVE-2019-12924
- EPSS 0.12%
- Veröffentlicht 08.07.2019 21:15:10
- Zuletzt bearbeitet 21.11.2024 04:23:49
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginMailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mailenable ≫ Mailenable SwEditionpremium Version >= 6.0 < 6.90
Mailenable ≫ Mailenable SwEditionpremium Version >= 7.0 < 7.62
Mailenable ≫ Mailenable SwEditionpremium Version >= 8.00 < 8.64
Mailenable ≫ Mailenable SwEditionpremium Version >= 9.0 < 9.83
Mailenable ≫ Mailenable SwEditionpremium Version >= 10.00 < 10.24
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.303 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-311 Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.
CWE-611 Improper Restriction of XML External Entity Reference
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.