Published:2022/01/25  Last Updated:2022/01/25

JVN#70100915
Multiple vulnerabilities in TransmitMail

Overview

TransmitMail contains multiple vulnerabilities.

Products Affected

  • TransmitMail 2.5.0 to 2.6.1

Description

TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below.

  • Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3
    CVSS v2  AV:N/AC:L/Au:N/C:P/I:N/A:N Base Score: 5.0
  • Cross-site scripting (CWE-79) - CVE-2022-21193
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score: 6.1
    CVSS v2  AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3

Impact

  • A remote attacker may obtain arbitrary files on the server - CVE-2022-22146
  • An arbitrary script may be executed on the web browser of the user who is accessing a website that uses the product - CVE-2022-21193

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
TAGAWA Takao Vulnerable 2022/01/25 TAGAWA Takao website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

ishiyuriniwa reported these vulnerabilities to TAGAWA Takao and coordinated.
TAGAWA Takao reported these vulnerabilities to IPA to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-21193
CVE-2022-22146
JVN iPedia JVNDB-2022-000007