CVE-2023-39699

moderate-risk

Published 2023-08-25

IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /calendar/minimizer/index.php. This vulnerability allows attackers to include or execute files from the local file system of the targeted server.

Do I need to act?

0.54% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Mail Server

Affected Vendors

Icewarp

References (6)

Third Party Advisory https://cwe.mitre.org/data/definitions/98.html

Exploit https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU

Third Party Advisory https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_S...

Third Party Advisory https://cwe.mitre.org/data/definitions/98.html

Exploit https://drive.google.com/file/d/1NkqL4ySJApyPy8B-zDC7vE-QMBQAu8OU

Third Party Advisory https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_S...

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal