cbcvebase.
CVE-2021-26294
published 2021-03-07

CVE-2021-26294: An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a…

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.34%
96.7th percentile
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_user account (with caldav_public_user as its password).

Affected

2 ranges
VendorProductVersion rangeFixed in
afterlogicaurora<= 7.7.9
afterlogicwebmail_pro<= 7.7.9

Detection & IOCsextracted from sources · hover to see the quote

pathdav/server.php/files/personal/%2e%2e
pathdata/settings/settings.xml
othercaldav_public_user:caldav_public_user
  • Look for HTTP requests to the DAV endpoint containing percent-encoded directory traversal sequences (%2e%2e) in the path, specifically targeting dav/server.php/files/personal/%2e%2e
  • Alert on successful HTTP 200 responses with Content-Type 'application/octet-stream' from the DAV endpoint, which may indicate successful file exfiltration via directory traversal
  • Monitor for authentication attempts using the default credential pair caldav_public_user / caldav_public_user against AfterLogic Aurora or WebMail Pro instances
  • Monitor access to data/settings/settings.xml via the DAV interface, as successful retrieval exposes admin panel credentials
  • ·The vulnerability affects AfterLogic Aurora through version 7.7.9 and WebMail Pro through version 7.7.9; detections should be scoped to these versions
  • ·The attack requires the caldav_public_user account to be enabled/present on the target instance; environments that have disabled or renamed this account may not be exploitable via this exact vector

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.