Main Vulnerability Database Vulnerabilities #VU80411

#VU80411 Path traversal in A.K.I Software products - CVE-2023-40747

Published: September 5, 2023

Vulnerability identifier: #VU80411

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-40747

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PMailServer Standard edition
PMailServer Pro edition
PMailServer Standard + IMAP4 edition
PMailServer Pro + IMAP4 edition
PMailServer2 Standard edition
PMailServer2 Pro edition
PMailServer2 Standard + IMAP4 edition
PMailServer2 Pro + IMAP4 edition
PMailServer2 Enterprise edition

Software vendor:
A.K.I Software

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in Internal Simple Webserve. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.

Note: The following CGIs included with the vulnerable products are affected by the vulnerability.

pmc.exe 2.5.1.720 and earlier
pmam.exe 2.5.1.1411 and earlier
pmmls.exe 2.5.1.561 and earlier
pmum.exe (Standard edition) 2.5.1.25451 and earlier
pmum.exe (Pro edition) 2.5.1.25452 and earlier
pmum.exe (Standard + IMAP4 edition) 2.5.1.25453 and earlier
pmum.exe (Pro + IMAP4 edition / Enterprise edition) 2.5.1.25454 and earlier
pmman.exe (Standard edition) 2.5.1.12154 and earlier
pmman.exe (Pro edition) 2.5.1.12155 and earlier
pmman.exe (Standard + IMAP4 edition) 2.5.1.12156 and earlier
pmman.exe (Pro + IMAP4 edition) 2.5.1.12157 and earlier
pmman.exe (Enterprise edition) 2.5.1.12158 and earlier

Remediation

Install updates from vendor's website.

#VU80411 Path traversal in A.K.I Software products - CVE-2023-40747

Description

Remediation

External links

Please verify you're human