The “/cgi-bin/go” page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.
[
{
"product": "MAIL2000",
"vendor": "Openfind",
"versions": [
{
"lessThan": "Before 20190919",
"status": "affected",
"version": "6.0",
"versionType": "custom"
},
{
"lessThan": "SP4 Patch 076",
"status": "affected",
"version": "7.0",
"versionType": "custom"
}
]
}
]
gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216d
gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27
tvn.twcert.org.tw/taiwanvn/TVN-201909001
www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txt
www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdf
www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdf
www.openfind.com.tw/taiwan/resource.html
www.twcert.org.tw/en/cp-128-3085-45bda-2.html