CVE-2019-15071
Openfind MAIL2000 Webmail Pre-Auth Cross-Site Scripting
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail system of governments, organizations, companies and universities.
Affected products
Openfind · MAIL2000Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://gist.github.com/chtsecurity/21119b393640bea1d010ab9e3bee216dhttps://gist.github.com/tonykuo76/95638395e0c83e68dbd3db0fa0184e27https://tvn.twcert.org.tw/taiwanvn/TVN-201909001https://www.chtsecurity.com/download/5011077112c76fb73f82d7eeb2b41b3bcd06c5037be242fec7b185603ca52dc1.txthttps://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-004.pdfhttps://www.openfind.com.tw/taiwan/download/m2k/patch/Openfind_OF-ISAC-19-005.pdfhttps://www.openfind.com.tw/taiwan/resource.htmlhttps://www.twcert.org.tw/en/cp-128-3085-45bda-2.html