CVE-2019-12938 — MEDIUM (4.3)

Vulnerability Description

The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Attackers can read logs via the webmail/logs/sendmail URI.

CVSS Score

4.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Analogic	Poste.Io	2.1.6

Related Weaknesses (CWE)

CWE-693

References

https://bitbucket.org/analogic/mailserver/issues/665/posteio-logs-leakExploitIssue TrackingThird Party Advisory
https://poste.io/changelogRelease NotesVendor Advisory
https://bitbucket.org/analogic/mailserver/issues/665/posteio-logs-leakExploitIssue TrackingThird Party Advisory
https://poste.io/changelogRelease NotesVendor Advisory

FAQ

What is CVE-2019-12938?

CVE-2019-12938 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Attackers can read logs via...

How severe is CVE-2019-12938?

CVE-2019-12938 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-12938?

Check the references section above for vendor advisories and patch information. Affected products include: Analogic Poste.Io.