Lucene search

TwcertVULNRICHMENT:CVE-2024-6740

HistoryJul 15, 2024 - 8:00 a.m.

CVE-2024-6740 Openfind Mail2000 - Stored XSS

2024-07-1508:00:31

CWE-79

twcert

github.com

openfind mail2000

stored xss

vulnerability

remote attackers

javascript code

email attachments

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.7

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Openfind’s Mail2000 does not properly validate email atachments, allowing unauthenticated remote attackers to inject JavaScript code within the attachment and perform Stored Cross-site scripting attacks.

CNA Affected

[
  {
    "vendor": "Openfind",
    "product": "Mail2000 V7.0",
    "versions": [
      {
        "status": "affected",
        "version": "all",
        "lessThan": "Patch 131",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Openfind",
    "product": "Mail2000 V8.0",
    "versions": [
      {
        "status": "affected",
        "version": "all",
        "lessThan": "Patch 044",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf

www.twcert.org.tw/en/cp-139-7939-3423f-2.html

www.twcert.org.tw/tw/cp-132-7938-d9c97-1.html

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.7

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-6740