TWSL2015-001 and TWSL2015-002: New Advisories Affect IceWarp Mail Server and Magnolia CMS

The SpiderLabs team at Trustwave published two new advisories today which detail issues discovered in the IceWarp Mail Server and Magnolia CMS. Both advisories were discovered by Piotr Karolak, a SpiderLabs Security Analyst.

IceWarp Mail Server provides a WebMail interface for web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. The first vulnerability Karolak discovered consisted of multiple unauthenticated directory traversals. The vulnerability would allow attackers to access restricted directories and execute commands outside of the web server's root directory. The second vulnerability is a reflected Cross-Site Scripting (XSS) vulnerability which would allow an attacker to inject arbitrary javascript into a IceWarp WebMail session. Users of IceWarp Mail Server are advised to upgrade to version v11.1.2 or the latest stable version in order to patch these vulnerabilities.

The second advisory affects Magnolia CMS, an open source Content Management System. The bug Karolak discovered was another cross-site scripting vulnerability. Users of Magnolia CMS should upgrade to version v5.3.7 or the latest stable version.

For more information on either of these advisories please follow the links below.

Multiple Vulnerabilities in IceWarp Mail Server (TWSL2015-001)
Cross-Site Scripting in Magnolia CMS (TWSL2015-002)

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.