CVE-2019-12938

low-risk
Published 2019-06-24

The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to protect the logs/ folder, which is effective with the Apache HTTP Server but is ineffective with nginx. Attackers can read logs via the webmail/logs/sendmail URI.

Do I need to act?

-
0.19% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Poste.Io

Affected Vendors

Analogic

References (4)

Exploit https://bitbucket.org/analogic/mailserver/issues/665/posteio-logs-leak
Release Notes https://poste.io/changelog
Exploit https://bitbucket.org/analogic/mailserver/issues/665/posteio-logs-leak
Release Notes https://poste.io/changelog
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal