CVE-2021-26293
CRITICALAfterLogic Aurora and WebMail Pro < 8.5.3 - Path Traversal and Arbitrary File Write via DAV Server
Title source: llmDescription
An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable file under the web root). This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://auroramail.wordpress.com/2021/02/03/addressing-dav-related-vulnerability-in-webmail-and-aurora/
Scores
CVSS v3
9.8
EPSS
0.0711
EPSS Percentile
93.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (2)
afterlogic/aurora
< 8.5.3
afterlogic/webmail_pro
< 8.5.3
Published
Mar 04, 2021
Tracked Since
Feb 18, 2026