MidnightBSD

Advisories for cybonet

CVE-2021-36719 HIGH

PineApp - Mail Secure - The attacker must be logged in as a user to the Pineapp system. The attacker exploits the vulnerable nicUpload.php file to upload a malicious file,Thus taking over the server and running remote code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
cybonet mail_secure *
CVE-2022-22793 MEDIUM

Cybonet - PineApp Mail Relay Local File Inclusion. Attacker can send a request to : /manage/mailpolicymtm/log/eml_viewer/email.content.body.php?filesystem_path=ENCDODED PATH and by doing that, the attacker can read Local Files inside the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
cna@cyber.gov.il 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H 1.3 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
cybonet pineapp_mail_secure -
CVE-2022-22794 HIGH

Cybonet - PineApp Mail Relay Unauthenticated Sql Injection. Attacker can send a request to: /manage/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/userlist.php?CUSTOMER_ID_INNER=1 /manage/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 /admin/emailrichment/usersunlist.php?CUSTOMER_ID_INNER=1 and by doing that, the attacker can run Remote Code Execution in one liner.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@cyber.gov.il 6.8 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H 1.3 5.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
cybonet pineapp_mail_secure -
CVE-2023-31183

Cybonet PineApp Mail SecureĀ A reflected cross-site scripting (XSS) vulnerability was identified in the product, using an unspecified endpoint.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@cyber.gov.il 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
cybonet pineapp_mail_secure *