IceWarp Merak WebMail Server < 9.4.2 Multiple Vulnerabilities

The remote host is running IcewWarp WebMail Server - a webmail server for Windows and Linux. According to its banner, the version of IceWarp installed on the remote host is earlier 9.4.2. Such versions are reportedly affected by multiple vulnerabilities :

-A SQL injection vulnerability in the search form of the web-based groupware component. (CVE-2009-1468)

-A cross-site scripting vulnerability exists because the application fails to properly sanitize HTML emails. An attacker can exploit this flaw through the ‘cleanHTML()’ function of the ‘html/webmail/server/inc/tools.php’ script. (CVE-2009-1467)

• A cross site-scripting vulnerability exists because the applciation fails to properly sanitize RSS feeds. An attacker can exploit this flaw through the ‘cleanHTML()’ function of the ‘html/webmail/server/inc/rss/rss.php’ script. (CVE-2009-1467)

• An input validation flaw in the ‘Forgot Password’ function on the login page. (CVE-2009-1469)

An attacker could exploit these flaws to steal sensitive information, upload files, or possibly execute arbitrary code subject to the privileges of the affected application.