6.1
CVE-2019-15071
- EPSS 1.63%
- Veröffentlicht 20.11.2019 04:15:10
- Zuletzt bearbeitet 21.11.2024 04:27:59
- Quelle twcert@cert.org.tw
- CVE-Watchlists
- Unerledigt
LoginOpenfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.63% | 0.731 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf
https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf
https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d
https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27
https://tvn.twcert.org.tw/taiwanvn/TVN-201909001
https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt
https://www.openfind.com.tw/taiwan/resource.html
https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html