RSS   Vulnerabilities for 'Mailenable'   RSS

2019-07-08
 
CVE-2019-12927

CWE-79
 

 
MailEnable Enterprise Premium 10.23 was vulnerable to stored and reflected cross-site scripting (XSS) attacks. Because the session cookie did not use the HttpOnly flag, it was possible to hijack the session cookie by exploiting this vulnerability.

 
2019-01-16
 
CVE-2015-9280

CWE-611
 

 
MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.

 
 
CVE-2015-9279

CWE-79
 

 
MailEnable before 8.60 allows Stored XSS via malformed use of "<img/src" with no ">" character in the body of an e-mail message.

 
 
CVE-2015-9278

CWE-255
 

 
MailEnable before 8.60 allows Privilege Escalation because admin accounts could be created as a consequence of %0A mishandling in AUTH.TAB after a password-change request.

 
 
CVE-2015-9277

CWE-22
 

 
MailEnable before 8.60 allows Directory Traversal for reading the messages of other users, uploading files, and deleting files because "/../" and "/.. /" are mishandled.

 
2014-09-19
 
CVE-2012-2588

CWE-79
 

 
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

 
2012-01-24
 
CVE-2012-0389

CWE-79
 

 
Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in MailEnable Professional, Enterprise, and Premium 4.26 and earlier, 5.x before 5.53, and 6.x before 6.03 allows remote attackers to inject arbitrary web script or HTML via the Username parameter.

 
2010-09-15
 
CVE-2010-2580

CWE-20
 

 
The SMTP service (MESMTPC.exe) in MailEnable 3.x and 4.25 does not properly perform a length check, which allows remote attackers to cause a denial of service (crash) via a long (1) email address in the MAIL FROM command, or (2) domain name in the RCPT TO command, which triggers an "unhandled invalid parameter error."

 
2008-08-04
 
CVE-2008-3449

CWE-399
 

 
MailEnable Professional 3.5.2 and Enterprise 3.52 allow remote attackers to cause a denial of service (crash) via multiple IMAP connection requests to the same folder.

 
2007-02-14
 
CVE-2007-0955

CWE-Other
 

 
The NTLM_UnPack_Type3 function in MENTLM.dll in MailEnable Professional 2.35 and earlier allows remote attackers to cause a denial of service (application crash) via certain base64-encoded data following an AUTHENTICATE NTLM command to the imap port (143/tcp), which results in an out-of-bounds read.

 


Copyright 2022, cxsecurity.com

 

Back to Top