A SSRF vulnerability exists in Winmail 6.5 in app.php in the key parameter when HTTPS is on. An attacker can use this vulnerability to cause the server to send a request to a specific URL. An attacker can modify the request header 'HOST' value to cause the server to send the...
7.5CVSS
7.4AI Score
0.001EPSS
A reflected XSS vulnerability exists in tohtml/convert.php of Winmail 6.5, which can cause JavaScript code to be...
6.1CVSS
6AI Score
0.001EPSS
Winmail Server through 6.2 allows remote code execution by authenticated users who leverage directory traversal in a netdisk.php copy_folder_file call (in inc/class.ftpfolder.php) to move a .php file from the FTP folder into a web...
8.8CVSS
8.9AI Score
0.004EPSS
Winmail Server 6.1 allows remote code execution by authenticated users who leverage directory traversal in a netdisk.php move_folder_file call to move a .php file from the FTP folder into a web...
8.8CVSS
8.8AI Score
0.004EPSS
Unspecified vulnerability in the Webmail module in Winmail before 4.3 has unknown impact and unknown remote attack...
6.6AI Score
0.004EPSS
Directory traversal vulnerability in admin/main.php in AMAX Magic Winmail Server 4.2 (build 0824) and earlier allows remote attackers to overwrite arbitrary files with session information via the sid...
6.6AI Score
0.185EPSS
AMAX Magic Winmail Server 3.6 allows remote attackers to obtain sensitive information by entering (1) invalid characters such as "()" or (2) a large number of characters in the Lookup field on the netaddressbook.php web form, which reveals the path in an ldaplib.php error message when the...
6.6AI Score
0.008EPSS
Cross-site scripting (XSS) vulnerability in AMAX Magic Winmail Server 4.2 (build 0824) and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) retid parameter in badlogin.php, (2) Content-Type headers in HTML mails, and (3) HTML mail...
5.7AI Score
0.006EPSS
Multiple directory traversal vulnerabilities in Magic Winmail Server 4.0 Build 1112 allow remote attackers to (1) upload arbitrary files via certain parameters to upload.php or (2) read arbitrary files via certain parameters to download.php, and remote authenticated users to read, create, or...
7.2AI Score
0.016EPSS
Cross-site scripting (XSS) vulnerability in user.php in Magic Winmail Server 4.0 Build 1112 allows remote attackers to inject arbitrary web script or HTML via the personal information...
5.8AI Score
0.005EPSS
The FTP service in Magic Winmail Server 4.0 Build 1112 does not verify that the IP address in a PORT command is the same as the IP address of the user of the FTP session, which allows remote authenticated users to use the server as an intermediary for port...
6.8AI Score
0.003EPSS
Format string vulnerability in Magic WinMail Server 2.3, and possibly other 2.x versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the PASS...
7.8AI Score
0.033EPSS