CVE-2023-39699 - Vulnerability Details - OpenCVE

IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00537.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Icewarp	Mail Server

Configuration 1 [-]

cpe:2.3:a:icewarp:mail_server:10.4.5:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-43399	IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://cwe.mitre.org/data/definitions/98.html
https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion

History

Thu, 03 Oct 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-24T00:00:00

Updated: 2024-10-03T13:35:00.456Z

Reserved: 2023-08-07T00:00:00

Link: CVE-2023-39699

Vulnrichment

Updated: 2024-08-02T18:18:09.829Z

NVD

Status : Modified

Published: 2023-08-25T00:15:09.283

Modified: 2024-11-21T08:15:50.640

Link: CVE-2023-39699

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-39699", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-03T13:35:00.456Z", "dateReserved": "2023-08-07T00:00:00", "datePublished": "2023-08-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-24T23:57:05.503884"}, "descriptions": [{"lang": "en", "value": "IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/98.html"}, {"url": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion"}, {"url": "https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:18:09.829Z"}, "title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/98.html", "tags": ["x_transferred"]}, {"url": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion", "tags": ["x_transferred"]}, {"url": "https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T13:34:51.761626Z", "id": "CVE-2023-39699", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T13:35:00.456Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-39699", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-03T13:35:00.456Z", "dateReserved": "2023-08-07T00:00:00", "datePublished": "2023-08-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-24T23:57:05.503884"}, "descriptions": [{"lang": "en", "value": "IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/98.html"}, {"url": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion"}, {"url": "https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:18:09.829Z"}, "title": "CVE Program Container", "references": [{"url": "https://cwe.mitre.org/data/definitions/98.html", "tags": ["x_transferred"]}, {"url": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion", "tags": ["x_transferred"]}, {"url": "https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39699", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-03T13:34:51.761626Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T13:34:56.119Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:icewarp:mail_server:10.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "6B36217E-C6E5-4841-9B43-802B0D1474B4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server."}], "id": "CVE-2023-39699", "lastModified": "2024-11-21T08:15:50.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T00:15:09.283", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://cwe.mitre.org/data/definitions/98.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cwe.mitre.org/data/definitions/98.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}