CVE-2019-15071

EPSS 1.03%
Veröffentlicht 20.11.2019 04:15:10
Zuletzt bearbeitet 21.11.2024 04:27:59
Quelle twcert@cert.org.tw
CVE-Watchlists
Login
Unerledigt
Login

The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openfind ≫ Mail2000 Version >= 6.0 <= 7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.03%	0.753

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf

https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf

https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d

Third Party Advisory

https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27

Third Party Advisory

https://tvn.twcert.org.tw/taiwanvn/TVN-201909001

Third Party Advisory

https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt

Third Party Advisory

https://www.openfind.com.tw/taiwan/resource.html

Vendor Advisory