CVE-2019-15071

medium

Description

The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.

References

https://www.twcert.org.tw/en/cp-128-3085-45bda-2.html

https://www.openfind.com.tw/taiwan/resource.html

https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf

https://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf

https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt

https://tvn.twcert.org.tw/taiwanvn/TVN-201909001

https://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27

https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d

Details

Source: Mitre, NVD

Published: 2019-11-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium