Lucene search

TwcertCVELIST:CVE-2024-6740

HistoryJul 15, 2024 - 8:00 a.m.

CVE-2024-6740 Openfind Mail2000 - Stored XSS

2024-07-1508:00:31

CWE-79

twcert

www.cve.org

openfind mail2000

unauthenticated

remote attackers

stored xss

email attachments

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.0%

JSON

Openfind’s Mail2000 does not properly validate email atachments, allowing unauthenticated remote attackers to inject JavaScript code within the attachment and perform Stored Cross-site scripting attacks.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mail2000 V7.0",
    "vendor": "Openfind",
    "versions": [
      {
        "lessThan": "Patch 131",
        "status": "affected",
        "version": "all",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Mail2000 V8.0",
    "vendor": "Openfind",
    "versions": [
      {
        "lessThan": "Patch 044",
        "status": "affected",
        "version": "all",
        "versionType": "custom"
      }
    ]
  }
]

References

www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf

www.twcert.org.tw/en/cp-139-7939-3423f-2.html

www.twcert.org.tw/tw/cp-132-7938-d9c97-1.html

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.0%

JSON

Related for CVELIST:CVE-2024-6740