CVE-2019-12924

CRITICAL

Mailenable < 6.90 - XXE

Title source: rule

Description

MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could be exploited by an unauthenticated user. It was possible for an attacker to use a vulnerability in the configuration of the XML processor to read any file on the host system. Because all credentials were stored in a cleartext file, it was possible to steal all users' credentials (including the highest privileged users).

References (2)

[Release Notes, Vendor Advisory] http://www.mailenable.com/Premium-ReleaseNotes.txt

[Release Notes, Third Party Advisory] https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-mailenable/

Scores

CVSS v3 9.8

EPSS 0.0011

EPSS Percentile 29.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611 CWE-311

Status published

Products (1)

mailenable/mailenable 6.0 - 6.90

Published Jul 08, 2019

Tracked Since Feb 18, 2026