CVE-2019-12923 Information
Feb 14, 2021
cve
Description
In MailEnable Enterprise Premium 10.23 the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email adding contacts or changing settings) on behalf of the attacker.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Reference
http://www.mailenable.com/Premium-ReleaseNotes.txt https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-mailenable/
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
NONE
Base Severity
6.5
Share on: