- Description
- In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.
- Source
- cve@mitre.org
- NVD status
- Analyzed
CVSS 3.0
- Type
- Primary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4.3
- Impact score
- 2.9
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:N/I:P/A:N
- nvd@nist.gov
- CWE-352
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:premium:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F7B4998A-BD40-4D0D-AC78-0457F40067C0",
"versionEndExcluding": "6.90",
"versionStartIncluding": "6.0"
},
{
"criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:premium:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9B9FFD5C-6982-4B54-BED3-DBAF30490439",
"versionEndExcluding": "7.62",
"versionStartIncluding": "7.0"
},
{
"criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:premium:*:*:*",
"vulnerable": true,
"matchCriteriaId": "1FAD50A0-D3E4-40B7-80DB-AD741B1BE1E6",
"versionEndExcluding": "8.64",
"versionStartIncluding": "8.00"
},
{
"criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:premium:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5DCC3F1A-6A49-4A2B-B973-1A44EFEF675B",
"versionEndExcluding": "9.83",
"versionStartIncluding": "9.0"
},
{
"criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:premium:*:*:*",
"vulnerable": true,
"matchCriteriaId": "55F2A0A6-2BA0-4176-B9A2-9E2A86635BC2",
"versionEndExcluding": "10.24",
"versionStartIncluding": "10.00"
}
],
"operator": "OR"
}
]
}
]