CGIs included with PMailServer and PMailServer2 provided by A.K.I Software contain multiple vulnerabilities listed below.
Stored cross-site scripting vulnerability (CWE-79) - CVE-2023-39223
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:L/Au:S/C:N/I:P/A:N | Base Score: 4.0 |
Insufficient verification vulnerability in Broadcast Mail CGI (pmc.exe) (CWE-434) - CVE-2023-39933
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | Base Score: 4.3 |
CVSS v2 | AV:N/AC:L/Au:S/C:N/I:P/A:N | Base Score: 4.0 |
Directory traversal vulnerability in Mailing List Search CGI (pmmls.exe) (CWE-22) - CVE-2023-40160
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N | Base Score: 3.7 |
CVSS v2 | AV:N/AC:M/Au:N/C:P/I:N/A:N | Base Score: 4.3 |
Directory traversal vulnerability in Internal Simple Webserver (CWE-22) - CVE-2023-40747
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Base Score: 5.3 |
CVSS v2 | AV:N/AC:L/Au:N/C:P/I:N/A:N | Base Score: 5.0 |
For PMailServer2: Apply Update file
Apply Update file according to the information provided by the developer.
For PMailServer: Stop using the product’s CGIs or Switch to alternative products
The developer states that the affected products are no longer being developed, and Update files will not be provided.
The developer recommends stop using the product’s CGIs or switching to an alternative product “PMailServer2”.
Apply the Workarounds
The developer provides workarounds for these vulnerabilities.
For more information, please refer to the developer’s website (Text in Japanse).