Multiple vulnerabilities in Icewarp Mail Server

Posted date 16/05/2025

Identificador

INCIBE-2025-0247

Importance

3 - Medium

Affected Resources

Icewarp Mail Server, 11.4.0 version.

Description

INCIBE has coordinated the publication of 3 vulnerabilities: 1 of medium severity and 2 of low severity affecting IceWarp Mail Server, messaging and communication platform for organisations, version 11.4.0, which have been discovered by Julen Garrido Estévez.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

CVE-2025-40630: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N | CWE-601
CVE-2025-40631: CVSS v4.0: 2.0 | CVSS AV:A/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-644
CVE-2025-40632: CVSS v4.0: 2.0 | CVSS AV:A/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79

Solution

The vulnerabilities have been fixed by the IceWarp team in the 13.0.2 version.

Detail

CVE-2025-40630: open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to redirect a user to any domain by sending a malicious URL to the victim, for example “https://icewarp.domain.com//<MALICIOUS_DOMAIN>/%2e%2e”. This vulnerability has been tested in Firefox.
CVE-2025-40631: HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. By modifying the Host header and adding a payload, arbitrary JavaScript code can be executed on page load. The user must interact with a malicious link to be redirected.
CVE-2025-40632: Cross-site scripting (XSS) in Icewarp Mail Server affecting version 11.4.0. This vulnerability allows an attacker to modify the “lastLogin” cookie with malicious JavaScript code that will be executed when the page is rendered.

CVE

Explotación

Nuevo Fabricante

Icewarp Mail Server

Identificador CVE

CVE-2025-40630

Severidad

Media

Explotación

Nuevo Fabricante

Icewarp Mail Server

Identificador CVE