CVE-2019-15071: Openfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting
First published: Wed Nov 20 2019(Updated: )
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.
Credit: twcert@cert.org.tw
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Openfind Mail2000 | >=6.0<=7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d
- https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27
- https://tvn.twcert.org.tw/taiwanvn/TVN-201909001
- https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt
- https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf
- https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf
- https://www.openfind.com.tw/taiwan/resource.html
- https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/title
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/openfind
- canonical/openfind mail2000
- version/openfind mail2000/6.0
- version/openfind mail2000/7.0