Refine your search
6 vulnerabilities found for Mail2000 by Openfind
CVE-2023-28705 (GCVE-0-2023-28705)
Vulnerability from cvelistv5
Published
2023-06-02 00:00
Modified
2025-01-08 20:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Openfind Mail2000 has insufficient filtering special characters of email content of its content filtering function. A remote attacker can exploit this vulnerability using phishing emails that contain malicious web pages injected with JavaScript. When users access the system and open the email, it triggers an XSS (Reflected Cross-site scripting) attack.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:43:23.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-7158-751a6-1.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T20:02:22.789681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T20:02:33.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mail2000",
"vendor": "Openfind",
"versions": [
{
"lessThanOrEqual": "7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-06-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Openfind Mail2000 has insufficient filtering special characters of email content of its content filtering function. A remote attacker can exploit this vulnerability using phishing emails that contain malicious web pages injected with JavaScript. When users access the system and open the email, it triggers an XSS (Reflected Cross-site scripting) attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-02T00:00:00.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"url": "https://www.twcert.org.tw/tw/cp-132-7158-751a6-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Openfind Mail2000 version to V8"
}
],
"source": {
"advisory": "TVN-202306001",
"discovery": "EXTERNAL"
},
"title": "Openfind Mail2000 - XSS (Reflected Cross-site scripting)",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2023-28705",
"datePublished": "2023-06-02T00:00:00.000Z",
"dateReserved": "2023-03-21T00:00:00.000Z",
"dateUpdated": "2025-01-08T20:02:33.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22902 (GCVE-0-2023-22902)
Vulnerability from cvelistv5
Published
2023-03-27 00:00
Modified
2025-02-19 16:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Openfind Mail2000 file uploading function has insufficient filtering for user input. An authenticated remote attacker with general user privilege can exploit this vulnerability to inject JavaScript, conducting an XSS attack.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:31.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-6953-79236-1.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22902",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T16:28:26.624540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T16:28:31.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mail2000",
"vendor": "Openfind",
"versions": [
{
"status": "affected",
"version": "7"
},
{
"status": "affected",
"version": "8"
}
]
}
],
"datePublic": "2023-02-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Openfind Mail2000 file uploading function has insufficient filtering for user input. An authenticated remote attacker with general user privilege can exploit this vulnerability to inject JavaScript, conducting an XSS attack."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-27T00:00:00.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"url": "https://www.twcert.org.tw/tw/cp-132-6953-79236-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Mail2000 version to latest"
}
],
"source": {
"advisory": "TVN-202302001",
"discovery": "EXTERNAL"
},
"title": "Openfind Mail2000 - XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2023-22902",
"datePublished": "2023-03-27T00:00:00.000Z",
"dateReserved": "2023-01-10T00:00:00.000Z",
"dateUpdated": "2025-02-19T16:28:31.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12776 (GCVE-0-2020-12776)
Vulnerability from cvelistv5
Published
2020-09-01 08:10
Modified
2024-09-17 04:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Broken Access Control
Summary
Openfind Mail2000 contains Broken Access Control vulnerability, which can be used to execute unauthorized commands after attackers obtain the administrator access token or cookie.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3897-01d73-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mail2000",
"vendor": "Openfind",
"versions": [
{
"lessThanOrEqual": "7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Openfind Mail2000 contains Broken Access Control vulnerability, which can be used to execute unauthorized commands after attackers obtain the administrator access token or cookie."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Broken Access Control",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-01T08:10:17.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-3897-01d73-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update Patch to 091 of SP4, or contact with Openfind."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Openfind Mail2000 - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2020-09-01T08:00:00.000Z",
"ID": "CVE-2020-12776",
"STATE": "PUBLIC",
"TITLE": "Openfind Mail2000 - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mail2000",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "7.0"
}
]
}
}
]
},
"vendor_name": "Openfind"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Openfind Mail2000 contains Broken Access Control vulnerability, which can be used to execute unauthorized commands after attackers obtain the administrator access token or cookie."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Broken Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-3897-01d73-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-3897-01d73-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update Patch to 091 of SP4, or contact with Openfind."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2020-12776",
"datePublished": "2020-09-01T08:10:17.915Z",
"dateReserved": "2020-05-11T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:14:37.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15072 (GCVE-0-2019-15072)
Vulnerability from cvelistv5
Published
2019-11-20 04:16
Modified
2024-09-17 01:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.157Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gist.github.com/chtsecurity/b3396500d4686ad47fb26f64967ef24a"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gist.github.com/tonykuo76/5bf1ac369d953d5276afe0a2d04c2147"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/download/0837ce00c27c73dd3ba3a0d4a7df3a41aaea1ac1e9831a5d61bb64ed484a3598.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909002"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-128-3086-ff35d-2.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAIL2000",
"vendor": "Openfind",
"versions": [
{
"lessThan": "Before 20190919",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "SP4 Patch 076",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Kuo (CHT Security), Vtim (CHT Security)"
}
],
"datePublic": "2019-11-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The login feature in \"/cgi-bin/portal\" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-20T04:16:18.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gist.github.com/chtsecurity/b3396500d4686ad47fb26f64967ef24a"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gist.github.com/tonykuo76/5bf1ac369d953d5276afe0a2d04c2147"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/download/0837ce00c27c73dd3ba3a0d4a7df3a41aaea1ac1e9831a5d61bb64ed484a3598.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909002"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.twcert.org.tw/en/cp-128-3086-ff35d-2.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Openfind MAIL2000 Webmail Post-Auth Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2019-11-11T04:00:00.000Z",
"ID": "CVE-2019-15072",
"STATE": "PUBLIC",
"TITLE": "Openfind MAIL2000 Webmail Post-Auth Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAIL2000",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.0",
"version_value": "Before 20190919"
},
{
"version_affected": "\u003c",
"version_name": "7.0",
"version_value": "SP4 Patch 076"
}
]
}
}
]
},
"vendor_name": "Openfind"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tony Kuo (CHT Security), Vtim (CHT Security)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The login feature in \"/cgi-bin/portal\" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openfind.com.tw/taiwan/resource.html",
"refsource": "CONFIRM",
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"name": "https://gist.github.com/chtsecurity/b3396500d4686ad47fb26f64967ef24a",
"refsource": "CONFIRM",
"url": "https://gist.github.com/chtsecurity/b3396500d4686ad47fb26f64967ef24a"
},
{
"name": "https://gist.github.com/tonykuo76/5bf1ac369d953d5276afe0a2d04c2147",
"refsource": "CONFIRM",
"url": "https://gist.github.com/tonykuo76/5bf1ac369d953d5276afe0a2d04c2147"
},
{
"name": "https://www.chtsecurity.com/download/0837ce00c27c73dd3ba3a0d4a7df3a41aaea1ac1e9831a5d61bb64ed484a3598.txt",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/download/0837ce00c27c73dd3ba3a0d4a7df3a41aaea1ac1e9831a5d61bb64ed484a3598.txt"
},
{
"name": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909002",
"refsource": "CONFIRM",
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909002"
},
{
"name": "https://www.twcert.org.tw/en/cp-128-3086-ff35d-2.html",
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/en/cp-128-3086-ff35d-2.html"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2019-15072",
"datePublished": "2019-11-20T04:16:18.705Z",
"dateReserved": "2019-08-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:37:01.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15073 (GCVE-0-2019-15073)
Vulnerability from cvelistv5
Published
2019-11-20 04:16
Modified
2024-09-17 03:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Summary
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gist.github.com/chtsecurity/512ebad24dddffb5321cf5f1a336f90f"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gist.github.com/tonykuo76/ed1cc21cf755bfb8b67ca24f50bded13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/download/258686130f7a16063c765f9e79cffd813409f6fe61c2dec05fceca541762d5bd.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-128-3087-5cecd-2.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAIL2000",
"vendor": "Openfind",
"versions": [
{
"lessThan": "Before 20190919",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "SP4 Patch 076",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Kuo (CHT Security), Vtim (CHT Security)"
}
],
"datePublic": "2019-11-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-20T04:16:09.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gist.github.com/chtsecurity/512ebad24dddffb5321cf5f1a336f90f"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gist.github.com/tonykuo76/ed1cc21cf755bfb8b67ca24f50bded13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/download/258686130f7a16063c765f9e79cffd813409f6fe61c2dec05fceca541762d5bd.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.twcert.org.tw/en/cp-128-3087-5cecd-2.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909003"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Openfind MAIL2000 Webmail Pre-Auth Open Redirect",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2019-11-11T04:00:00.000Z",
"ID": "CVE-2019-15073",
"STATE": "PUBLIC",
"TITLE": "Openfind MAIL2000 Webmail Pre-Auth Open Redirect"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAIL2000",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.0",
"version_value": "Before 20190919"
},
{
"version_affected": "\u003c",
"version_name": "7.0",
"version_value": "SP4 Patch 076"
}
]
}
}
]
},
"vendor_name": "Openfind"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tony Kuo (CHT Security), Vtim (CHT Security)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.openfind.com.tw/taiwan/resource.html",
"refsource": "CONFIRM",
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"name": "https://gist.github.com/chtsecurity/512ebad24dddffb5321cf5f1a336f90f",
"refsource": "CONFIRM",
"url": "https://gist.github.com/chtsecurity/512ebad24dddffb5321cf5f1a336f90f"
},
{
"name": "https://gist.github.com/tonykuo76/ed1cc21cf755bfb8b67ca24f50bded13",
"refsource": "CONFIRM",
"url": "https://gist.github.com/tonykuo76/ed1cc21cf755bfb8b67ca24f50bded13"
},
{
"name": "https://www.chtsecurity.com/download/258686130f7a16063c765f9e79cffd813409f6fe61c2dec05fceca541762d5bd.txt",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/download/258686130f7a16063c765f9e79cffd813409f6fe61c2dec05fceca541762d5bd.txt"
},
{
"name": "https://www.twcert.org.tw/en/cp-128-3087-5cecd-2.html",
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/en/cp-128-3087-5cecd-2.html"
},
{
"name": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909003",
"refsource": "CONFIRM",
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909003"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2019-15073",
"datePublished": "2019-11-20T04:16:09.274Z",
"dateReserved": "2019-08-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:37:27.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15071 (GCVE-0-2019-15071)
Vulnerability from cvelistv5
Published
2019-11-20 04:06
Modified
2024-09-17 00:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:34:53.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909001"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAIL2000",
"vendor": "Openfind",
"versions": [
{
"lessThan": "Before 20190919",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "SP4 Patch 076",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Kuo (CHT Security), Vtim (CHT Security)"
}
],
"datePublic": "2019-11-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The \"/cgi-bin/go\" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-22T15:19:49.000Z",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909001"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Openfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2019-11-11T04:00:00.000Z",
"ID": "CVE-2019-15071",
"STATE": "PUBLIC",
"TITLE": "Openfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAIL2000",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "6.0",
"version_value": "Before 20190919"
},
{
"version_affected": "\u003c",
"version_name": "7.0",
"version_value": "SP4 Patch 076"
}
]
}
}
]
},
"vendor_name": "Openfind"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tony Kuo (CHT Security), Vtim (CHT Security)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The \"/cgi-bin/go\" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27",
"refsource": "CONFIRM",
"url": "https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27"
},
{
"name": "https://www.openfind.com.tw/taiwan/resource.html",
"refsource": "CONFIRM",
"url": "https://www.openfind.com.tw/taiwan/resource.html"
},
{
"name": "https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d",
"refsource": "CONFIRM",
"url": "https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d"
},
{
"name": "https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt"
},
{
"name": "https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html",
"refsource": "CONFIRM",
"url": "https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html"
},
{
"name": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909001",
"refsource": "CONFIRM",
"url": "https://tvn.twcert.org.tw/taiwanvn/TVN-201909001"
},
{
"name": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf",
"refsource": "MISC",
"url": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf"
},
{
"name": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf",
"refsource": "MISC",
"url": "https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2019-15071",
"datePublished": "2019-11-20T04:06:20.948Z",
"dateReserved": "2019-08-15T00:00:00.000Z",
"dateUpdated": "2024-09-17T00:10:30.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}