The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.
https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html
https://www.openfind.com.tw/taiwan/resource.html
https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf
https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf
https://tvn.twcert.org.tw/taiwanvn/TVN-201909001
https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27
https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d