Vulnerability Description
IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.html before it is stored in a database, which can allow remote authenticated users to include arbitrary PHP code via a URL in a modified lang_settings parameter to mail/index.html.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deerfield | Visnetic Mail Server | 8.3.0_build1 |
| Icewarp | Web Mail | 5.5.1 |
| Merak | Mail Server | 8.3.0r |
References
- http://marc.info/?l=full-disclosure&m=113570229524828&w=2
- http://secunia.com/advisories/17046ExploitPatchVendor Advisory
- http://secunia.com/advisories/17865
- http://secunia.com/secunia_research/2005-62/advisory/ExploitVendor Advisory
- http://securitytracker.com/id?1015412
- http://www.osvdb.org/22080
- http://www.osvdb.org/22081
- http://www.securityfocus.com/archive/1/420255/100/0/threaded
- http://www.securityfocus.com/bid/16069Exploit
- https://exchange.xforce.ibmcloud.com/vulnerabilities/23904
- http://marc.info/?l=full-disclosure&m=113570229524828&w=2
- http://secunia.com/advisories/17046ExploitPatchVendor Advisory
- http://secunia.com/advisories/17865
- http://secunia.com/secunia_research/2005-62/advisory/ExploitVendor Advisory
- http://securitytracker.com/id?1015412
FAQ
What is CVE-2005-4558?
CVE-2005-4558 is a vulnerability with a CVSS score of 6.5 (MEDIUM). IceWarp Web Mail 5.5.1, as used by Merak Mail Server 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly restrict acceptable values for the language parameter to mail/settings.htm...
How severe is CVE-2005-4558?
CVE-2005-4558 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2005-4558?
Check the references section above for vendor advisories and patch information. Affected products include: Deerfield Visnetic Mail Server, Icewarp Web Mail, Merak Mail Server.