The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.
References
Link | Resource |
---|---|
https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d | Third Party Advisory |
https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27 | Third Party Advisory |
https://tvn.twcert.org.tw/taiwanvn/TVN-201909001 | Third Party Advisory |
https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt | Third Party Advisory |
https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf | |
https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf | |
https://www.openfind.com.tw/taiwan/resource.html | Product Vendor Advisory |
https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html | Third Party Advisory |
Configurations
History
No history.
Information
Published : 2019-11-20 04:15
Updated : 2024-02-04 20:39
NVD link : CVE-2019-15071
Mitre link : CVE-2019-15071
CVE.ORG link : CVE-2019-15071
JSON object : View
Products Affected
openfind
- mail2000
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')