An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable file under the web root). This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x.
References
Link | Resource |
---|---|
https://auroramail.wordpress.com/2021/02/03/addressing-dav-related-vulnerability-in-webmail-and-aurora/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
11 Mar 2021, 14:29
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://auroramail.wordpress.com/2021/02/03/addressing-dav-related-vulnerability-in-webmail-and-aurora/ - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:afterlogic:webmail_pro:*:*:*:*:*:*:*:* cpe:2.3:a:afterlogic:aurora:*:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 9.8 |
CWE | CWE-22 |
04 Mar 2021, 21:31
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-03-04 21:15
Updated : 2023-12-10 13:41
NVD link : CVE-2021-26293
Mitre link : CVE-2021-26293
CVE.ORG link : CVE-2021-26293
JSON object : View
Products Affected
afterlogic
- webmail_pro
- aurora
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')