Vulnerability Description
MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mailenable | Mailenable | >= 6.0, < 6.90 |
Related Weaknesses (CWE)
References
- http://www.mailenable.com/Premium-ReleaseNotes.txtRelease NotesVendor Advisory
- https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabiRelease NotesThird Party Advisory
- http://www.mailenable.com/Premium-ReleaseNotes.txtRelease NotesVendor Advisory
- https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabiRelease NotesThird Party Advisory
FAQ
What is CVE-2019-12924?
CVE-2019-12924 is a vulnerability with a CVSS score of 9.8 (CRITICAL). MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerabi...
How severe is CVE-2019-12924?
CVE-2019-12924 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-12924?
Check the references section above for vendor advisories and patch information. Affected products include: Mailenable Mailenable.