JVN#92720882
Multiple vulnerabilities in CGIs of PMailServer and PMailServer2
Overview
CGIs included with PMailServer and PMailServer2 provided by A.K.I Software contain multiple vulnerabilities.
Products Affected
- PMailServer Free edition
* This product is affected by CVE-2023-39223 (pmam.exe) only. - PMailServer Version 1.91 and earlier
- Standard edition
- Pro edition
- Standard + IMAP4 edition
- Pro + IMAP4 edition
- PMailServer2 prior to Version 2.51a
- Standard edition
- Pro edition
- Standard + IMAP4 edition
- Pro + IMAP4 edition
- Enterprise edition
- pmc.exe 2.5.1.720 and earlier
- pmam.exe 2.5.1.1411 and earlier
- pmmls.exe 2.5.1.561 and earlier
- pmum.exe (Standard edition) 2.5.1.25451 and earlier
- pmum.exe (Pro edition) 2.5.1.25452 and earlier
- pmum.exe (Standard + IMAP4 edition) 2.5.1.25453 and earlier
- pmum.exe (Pro + IMAP4 edition / Enterprise edition) 2.5.1.25454 and earlier
- pmman.exe (Standard edition) 2.5.1.12154 and earlier
- pmman.exe (Pro edition) 2.5.1.12155 and earlier
- pmman.exe (Standard + IMAP4 edition) 2.5.1.12156 and earlier
- pmman.exe (Pro + IMAP4 edition) 2.5.1.12157 and earlier
- pmman.exe (Enterprise edition) 2.5.1.12158 and earlier
Description
CGIs included with PMailServer and PMailServer2 provided by A.K.I Software contain multiple vulnerabilities listed below.
- Stored cross-site scripting vulnerability (CWE-79) - CVE-2023-39223
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - Insufficient verification vulnerability in Broadcast Mail CGI (pmc.exe) (CWE-434) - CVE-2023-39933
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3 CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0 - Directory traversal vulnerability in Mailing List Search CGI (pmmls.exe) (CWE-22) - CVE-2023-40160
CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 3.7 CVSS v2 AV:N/AC:M/Au:N/C:P/I:N/A:N Base Score: 4.3 - Directory traversal vulnerability in Internal Simple Webserver (CWE-22) - CVE-2023-40747
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3 CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0
Impact
- An arbitrary script may be executed on a logged-in user's web browser - CVE-2023-39223
- A user who can upload files through the product may execute an arbitrary excutable file with the web server's execution privilege - CVE-2023-39933
- A remote attacker may obtain arbitrary files on the server - CVE-2023-40160
- A remote attacker may access arbitrary files outside DocumentRoot - CVE-2023-40747
Solution
For PMailServer2:
Apply Update file
Apply Update file according to the information provided by the developer.
For PMailServer:
Stop using the product's CGIs or Switch to alternative products
The developer states that the affected products are no longer being developed, and Update files will not be provided.
The developer recommends stop using the product's CGIs or switching to an alternative product "PMailServer2".
Apply the Workarounds
The developer provides workarounds for these vulnerabilities.
For more information, please refer to the developer's website (Text in Japanse).
Vendor Status
| Vendor | Link |
| A.K.I Software | CGI of PMailServer/PMailServer2 vulnerability information (Text in Japanese) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
CVE-2023-39223, CVE-2023-39933, CVE-2023-40160
Shuji Shimizu of VeriServe Corporation reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVE-2023-40747
Shunta Nakanishi of VeriServe Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-39223 |
|
CVE-2023-39933 |
|
|
CVE-2023-40160 |
|
|
CVE-2023-40747 |
|
| JVN iPedia |
JVNDB-2023-000090 |