Active! mail vulnerable to information disclosure


Active! mail contains an information disclosure vulnerability.

Active! mail provided by TransWARE is a webmail software. Active! mail contains an information disclosure vulnerability.

Mitsuru Ogino of Sugiyama Jogakuen reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.1 (Low) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products

TransWARE Co.
  • Active! mail 6


If the "external public interface" is enabled, an attacker who can log into the server may obtain users credentials.

[Restrict log-in to the server]
Allow connections only from an administrator or trusted users.

[Do not use the "external public interface" function]
Turn off the "external public interface" if the function is not necessary.

For more information, refer to the information provided by the developer.
Vendor Information

TransWARE Co.
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-2302

  1. JVN : JVN#04288738
  2. National Vulnerability Database (NVD) : CVE-2013-2302
Revision History

  • [2013/04/04]
      Web page was published
      References : Content was added