CVE-2012-4940 : Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote att

Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in (1) the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in (2) an edit action or (3) a delete action to the default URI.

Published 2012-10-31 19:55:01

Updated 2013-02-26 04:51:01

Source CERT/CC

View at NVD, CVE.org

Vulnerability category: Directory traversal

Exploit prediction scoring system (EPSS) score for CVE-2012-4940

Probability of exploitation activity in the next 30 days: 16.41%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2012-4940

Axigen Arbitrary File Read and Delete

Disclosure Date: 2012-10-31

First seen: 2020-04-26

auxiliary/admin/http/axigen_file_access

This module exploits a directory traversal vulnerability in the WebAdmin interface of Axigen, which allows an authenticated user to read and delete arbitrary files with SYSTEM privileges. The vulnerability is known to work on Windows platforms. This module ha

More information

CVSS scores for CVE-2012-4940

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2012-4940

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-4940

http://www.kb.cert.org/vuls/id/586556

VU#586556 - Axigen Mail Server directory traversal vulnerability
US Government Resource
http://www.securityfocus.com/bid/56343

Axigen Mail Server 'fileName' Parameter Directory Traversal Vulnerability

Products affected by CVE-2012-4940

Gecad » Axigen Free Mail Server » Version: N/A
cpe:2.3:a:gecad:axigen_free_mail_server:-:*:*:*:*:*:*:*
Matching versions