CVE-2005-4558
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/12/2005
Last modified:
19/10/2018
Description
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.
Impact
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:deerfield:visnetic_mail_server:8.3.0_build1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:icewarp:web_mail:5.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:merak:mail_server:8.3.0r:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://marc.info/?l=full-disclosure&m=113570229524828&w=2
- http://secunia.com/advisories/17046
- http://secunia.com/advisories/17865
- http://secunia.com/secunia_research/2005-62/advisory/
- http://securitytracker.com/id?1015412=
- http://www.osvdb.org/22080
- http://www.osvdb.org/22081
- http://www.securityfocus.com/archive/1/420255/100/0/threaded
- http://www.securityfocus.com/bid/16069
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23904