Icewarp Webclient vulnerabilities
10 known vulnerabilities affecting icewarp/webclient.
Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM8
Vulnerabilities
Page 1 of 1
CVE-2023-39598P3MEDIUMCVSS 6.1PoCv10.2.12023-09-05
CVE-2023-39598 [MEDIUM] CWE-79 CVE-2023-39598: Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacke
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
nvd
CVE-2010-5335P3HIGHCVSS 7.5≥ 10.0, < 10.2.12019-10-11
CVE-2010-5335 [HIGH] CWE-22 CVE-2010-5335: IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of
IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (script to basic/minimizer/index.php) is not properly sanitised and can therefore be exploited to browse the partition where IceWarp is installed (or the
nvd
CVE-2010-5334P3HIGHCVSS 7.5≥ 10.0, < 10.2.12019-10-11
CVE-2010-5334 [HIGH] CWE-22 CVE-2010-5334: IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of
IceWarp Webclient before 10.2.1 has a directory traversal vulnerability. This can result in loss of confidential data of IceWarp Mailserver and the operating system. Input passed via a certain parameter (_c to basic/index.html) is not properly sanitised and can therefore be exploited to browse the partition where IceWarp is installed (or the whole system)
nvd
CVE-2010-5337P4MEDIUMCVSS 6.1≥ 10.0, < 10.2.12019-10-11
CVE-2010-5337 [MEDIUM] CWE-79 CVE-2010-5337: IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter
IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][controller] is non-persistent in 10.1.3 and 10.2.0.
nvd
CVE-2010-5339P4MEDIUMCVSS 6.1≥ 10.0, < 10.2.12019-10-11
CVE-2010-5339 [MEDIUM] CWE-79 CVE-2010-5339: IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter
IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][uid] is non-persistent in 10.1.3 and 10.2.0.
nvd
CVE-2010-5340P4MEDIUMCVSS 6.1≥ 10.0, < 10.2.12019-10-11
CVE-2010-5340 [MEDIUM] CWE-79 CVE-2010-5340: IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/ with the parameter passwo
IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/ with the parameter password is non-persistent in 10.2.0.
nvd
CVE-2010-5336P4MEDIUMCVSS 6.1fixed in 10.2.12019-10-11
CVE-2010-5336 [MEDIUM] CWE-79 CVE-2010-5336: IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: admin/login.html with the paramete
IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: admin/login.html with the parameter username is persistent in 10.2.0.
nvd
CVE-2010-5338P4MEDIUMCVSS 6.1≥ 10.0, < 10.2.12019-10-11
CVE-2010-5338 [MEDIUM] CWE-79 CVE-2010-5338: IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter
IceWarp Webclient before 10.2.1 has XSS via an HTTP POST request: webmail/basic/ with the parameter _dlg[captcha][action] is non-persistent in 10.1.3 and 10.2.0.
nvd
CVE-2020-25925P4MEDIUMCVSS 6.1v10.3.52021-07-07
CVE-2020-25925 [MEDIUM] CWE-79 CVE-2020-25925: Cross Site Scripting (XSS) in Webmail Calender in IceWarp WebClient 10.3.5 allows remote attackers t
Cross Site Scripting (XSS) in Webmail Calender in IceWarp WebClient 10.3.5 allows remote attackers to inject arbitrary web script or HTML via the "p4" field.
nvd
CVE-2023-43319P4MEDIUMCVSS 6.1v10.3.52023-09-25
CVE-2023-43319 [MEDIUM] CWE-79 CVE-2023-43319: Cross Site Scripting (XSS) vulnerability in the Sign-In page of IceWarp WebClient 10.3.5 allows atta
Cross Site Scripting (XSS) vulnerability in the Sign-In page of IceWarp WebClient 10.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter.
nvd