CVE-2019-12923

In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
VendorProductVersion
mailenablemailenable
6.0 ≤
𝑥
< 6.90
mailenablemailenable
7.0 ≤
𝑥
< 7.62
mailenablemailenable
8.00 ≤
𝑥
< 8.64
mailenablemailenable
9.0 ≤
𝑥
< 9.83
mailenablemailenable
10.00 ≤
𝑥
< 10.24
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.mailenable.com/Premium-ReleaseNotes.txt
https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-mailenable/
http://www.mailenable.com/Premium-ReleaseNotes.txt
https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-mailenable/