CVE-2019-15071 Information

Description

The /cgi-bin/go\ page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments organizations companies and universities.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27 https://tvn.twcert.org.tw/taiwanvn/TVN-201909001 https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf https://www.openfind.com.tw/taiwan/resource.html https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1