Published:2013/04/04  Last Updated:2013/04/04

Active! mail vulnerable to information disclosure


Active! mail contains an information disclosure vulnerability.

Products Affected

  • Active! mail 6


Active! mail provided by TransWARE is a webmail software. Active! mail contains an information disclosure vulnerability.


If the "external public interface" is enabled, an attacker who can log into the server may obtain users credentials.


Restrict log-in to the server
Allow connections only from an administrator or trusted users.

Do not use the "external public interface" function
Turn off the "external public interface" if the function is not necessary.

For more information, refer to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
TransWARE Co. Vulnerable 2013/04/04


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2013.04.04

Measures Conditions Severity
Access Required requires you to login into the box to a shell or remote desktop
  • Low-Mid
Authentication login caused to be created by an administrator
  • Low-Mid
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures


Mitsuru Ogino of Sugiyama Jogakuen reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2013-2302
JVN iPedia JVNDB-2013-000031