[Japanese]

JVNDB-2013-000031

Active! mail vulnerable to information disclosure

Overview

Active! mail contains an information disclosure vulnerability.

Active! mail provided by TransWARE is a webmail software. Active! mail contains an information disclosure vulnerability.

Mitsuru Ogino of Sugiyama Jogakuen reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 2.1 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products


TransWARE Co.
  • Active! mail 6

Impact

If the "external public interface" is enabled, an attacker who can log into the server may obtain users credentials.
Solution

[Restrict log-in to the server]
Allow connections only from an administrator or trusted users.

[Do not use the "external public interface" function]
Turn off the "external public interface" if the function is not necessary.

For more information, refer to the information provided by the developer.
Vendor Information

TransWARE Co.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-2302
References

  1. JVN : JVN#04288738
  2. National Vulnerability Database (NVD) : CVE-2013-2302
Revision History

[2013/04/04]
  Web page was published
[2013/06/25]
  References : Content was added