CVE-2019-10229
HIGHMailStore Server 9.x-11.x < 11.2.2 - Insufficient Session Expiration via Generic LDAP Authentication
Title source: llmDescription
An issue was discovered in MailStore Server (and Service Provider Edition) 9.x through 11.x before 11.2.2. When the directory service (for synchronizing and authenticating users) is set to Generic LDAP, an attacker is able to login as an existing user with an arbitrary password on the second login attempt.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://help.mailstore.com/security/MAILSTORE-SA-2019-01.txt
Scores
CVSS v3
8.8
EPSS
0.0084
EPSS Percentile
52.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-613
Status
published
Products (2)
mailstore/mailstore
9.6 - 11.2.1
mailstore/mailstore_server
9.6 - 11.2.1
Published
Dec 31, 2019
Tracked Since
Feb 18, 2026