CVE-2021-26294
published 2021-03-07CVE-2021-26294: An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a…
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.34%
96.7th percentile
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_user account (with caldav_public_user as its password).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| afterlogic | aurora | <= 7.7.9 | — |
| afterlogic | webmail_pro | <= 7.7.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP requests to the DAV endpoint containing percent-encoded directory traversal sequences (%2e%2e) in the path, specifically targeting dav/server.php/files/personal/%2e%2e ↗
- →Alert on successful HTTP 200 responses with Content-Type 'application/octet-stream' from the DAV endpoint, which may indicate successful file exfiltration via directory traversal
- →Monitor for authentication attempts using the default credential pair caldav_public_user / caldav_public_user against AfterLogic Aurora or WebMail Pro instances ↗
- →Monitor access to data/settings/settings.xml via the DAV interface, as successful retrieval exposes admin panel credentials ↗
- ·The vulnerability affects AfterLogic Aurora through version 7.7.9 and WebMail Pro through version 7.7.9; detections should be scoped to these versions ↗
- ·The attack requires the caldav_public_user account to be enabled/present on the target instance; environments that have disabled or renamed this account may not be exploitable via this exact vector ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v4m8-qvh3-jm6c: An issue was discovered in AfterLogic Aurora through 7
ghsa_unreviewed·2022-05-24
CVE-2021-26294 [HIGH] CWE-22 GHSA-v4m8-qvh3-jm6c: An issue was discovered in AfterLogic Aurora through 7
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_user account (with caldav_public_user as its password).
VulnCheck
afterlogic aurora Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2021·CVSS 7.5
CVE-2021-26294 [HIGH] afterlogic aurora Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
afterlogic aurora Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_user account (with caldav_public_user as its password).
Affected: afterlogic aurora
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-01-22&host_type=src&vulnerability=cve-2021-26294; h
No detection rules found.
Nuclei
AfterLogic Aurora and WebMail Pro < 7.7.9 - Information Disclosure
nuclei·CVSS 7.5
CVE-2021-26294 [HIGH] AfterLogic Aurora and WebMail Pro < 7.7.9 - Information Disclosure
AfterLogic Aurora and WebMail Pro "
- ""
- ""
condition: and
- type: word
part: header
words:
- "application/octet-stream"
- type: status
status:
- 200
# digest: 490a0046304402202a87414bfa1af7814b750e7f65a2d4d6b33d398d8cfeef12eb8a9ae8a6d22ab8022003d9b7ee72737fae1bf2ac2e5b628dd217b52b1312582868fc48984affc7bc82:922c64590222798bb761d5b6d8e72950
2021-03-07
Published
Exploited in the wild