JVN#35906450
Multiple vulnerabilities in acmailer

Overview

acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities.

Products Affected

CVE-2021-20617

• acmailer ver. 4.0.1 and earlier
• acmailer DB ver. 1.1.3 and earlier

• acmailer ver. 4.0.2 and earlier
• acmailer DB ver. 1.1.4 and earlier

Description

acmailer provided by Seeds Co.,Ltd. contains multiple vulnerabilities listed below.

• Improper Access Control (CWE-284) - CVE-2021-20617

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 9.8
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:P/A:P	Base Score: 7.5

• Privilege Chaining (CWE-268) - CVE-2021-20618

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 9.8
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:P/A:P	Base Score: 7.5

Impact

• A remote attacker may execute an arbitrary OS command/obtain administrative privileges and as a result, sensitive information on the server may be obtained - CVE-2021-20617
• A remote attacker may obtain administrative privileges and as a result, sensitive information on the server may be obtained - CVE-2021-20618

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been already addressed in the following versions.

• acmailer ver. 4.0.3 or later
• acmailer DB ver. 1.1.5 or later

• Delete the following file in the folder directly below the folder where the product is placed.
  • init_ctl.cgi

• Delete the following file in the folder directly below the folder where the product is placed.
  • enq_detail.cgi
  • enq_detail_mail.cgi
  • enq_edit.cgi
  • enq_form.cgi
  • enq_list.cgi