Atmail Webmail 6.x / 7.x < 7.2.0 Multiple Vulnerabilities

medium Nessus Plugin ID 73624

Synopsis

The remote web server contains an application that is affected by multiple vulnerabilities.

Description

According to its version, the Atmail Webmail install on the remote host is 6.x or 7.x prior to 7.2.0. It is, therefore, potentially affected by the following vulnerabilities :

- An input validation error exists related to email handling that could allow persistent cross-site scripting attacks (XSS). (CVE-2013-6017)

- An input validation error exists related to administration functions that could allow cross-site request forgery attacks (XSRF). (CVE-2013-6028)

Solution

Upgrade to Atmail Webmail 7.2.0 or later.

See Also

https://help.atmail.com/hc/en-us/categories/200214454-Changelog

Plugin Details

Severity: Medium

ID: 73624

File Name: atmail_webmail_7_2_0.nasl

Version: 1.13

Type: remote

Family: CGI abuses

Published: 4/18/2014

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:atmail:atmail

Required KB Items: www/atmail_webmail

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/10/2014

Vulnerability Publication Date: 1/10/2014

Reference Information

CVE: CVE-2013-6017, CVE-2013-6028

BID: 64777, 64779

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

CERT: 204950