IlohaMail Forged GET/POST Arbitrary Contacts Deletion
The target is running at least one instance of IlohaMail version 0.7.9-RC2 or earlier. Such versions contain a flaw that enables an authenticated user to delete contacts belonging to any user provided the DB-based backend is used to store contacts. The flaw arises because ownership of 'deleteitem...