Multiple vulnerabilities in Icewarp Mail Server
Posted date 16/05/2025
Identificador
INCIBE-2025-0247
Importance
3 - Medium
Affected Resources
Icewarp Mail Server, 11.4.0 version.
Description
INCIBE has coordinated the publication of 3 vulnerabilities: 1 of medium severity and 2 of low severity affecting IceWarp Mail Server, messaging and communication platform for organisations, version 11.4.0, which have been discovered by Julen Garrido Estévez.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-40630: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N | CWE-601
- CVE-2025-40631: CVSS v4.0: 2.0 | CVSS AV:A/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-644
- CVE-2025-40632: CVSS v4.0: 2.0 | CVSS AV:A/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
The vulnerabilities have been fixed by the IceWarp team in the 13.0.2 version.
Detail
- CVE-2025-40630: open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to redirect a user to any domain by sending a malicious URL to the victim, for example “https://icewarp.domain.com//<MALICIOUS_DOMAIN>/%2e%2e”. This vulnerability has been tested in Firefox.
- CVE-2025-40631: HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. By modifying the Host header and adding a payload, arbitrary JavaScript code can be executed on page load. The user must interact with a malicious link to be redirected.
- CVE-2025-40632: Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered.
References list
Etiquetas
