The SpiderLabs team at Trustwave published two new advisories today which detail issues discovered in the IceWarp Mail Server and Magnolia CMS. Both advisories were discovered by Piotr Karolak, a SpiderLabs Security Analyst.
IceWarp Mail Server provides a WebMail interface for web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. The first vulnerability Karolak discovered consisted of multiple unauthenticated directory traversals. The vulnerability would allow attackers to access restricted directories and execute commands outside of the web server's root directory. The second vulnerability is a reflected Cross-Site Scripting (XSS) vulnerability which would allow an attacker to inject arbitrary javascript into a IceWarp WebMail session. Users of IceWarp Mail Server are advised to upgrade to version v11.1.2 or the latest stable version in order to patch these vulnerabilities.
The second advisory affects Magnolia CMS, an open source Content Management System. The bug Karolak discovered was another cross-site scripting vulnerability. Users of Magnolia CMS should upgrade to version v5.3.7 or the latest stable version.