CVE-2024-6741

MEDIUM

Openfind's Mail2000 - CSRF

Title source: llm

Description

Openfind's Mail2000 has a vulnerability that allows the HttpOnly flag to be bypassed. Unauthenticated remote attackers can exploit this vulnerability using specific JavaScript code to obtain the session cookie with the HttpOnly flag enabled.

References (3)

[Exploit] https://www.openfind.com.tw/taiwan/download/Openfind_OF-ISAC-24-007.pdf

[Third Party Advisory] https://www.twcert.org.tw/en/cp-139-7941-b66e7-2.html

[Third Party Advisory] https://www.twcert.org.tw/tw/cp-132-7940-0177a-1.html

Scores

CVSS v3 5.8

EPSS 0.0018

EPSS Percentile 38.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Classification

CWE

CWE-693

Status published

Affected Products (2)

openfind/mail2000

Timeline

Published Jul 15, 2024

Tracked Since Feb 18, 2026