Vulnerability Details : CVE-2012-4940
Public exploit exists!
Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in (1) the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in (2) an edit action or (3) a delete action to the default URI.
Vulnerability category: Directory traversal
Exploit prediction scoring system (EPSS) score for CVE-2012-4940
Probability of exploitation activity in the next 30 days: 16.41%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 96 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2012-4940
-
Axigen Arbitrary File Read and Delete
Disclosure Date: 2012-10-31First seen: 2020-04-26auxiliary/admin/http/axigen_file_accessThis module exploits a directory traversal vulnerability in the WebAdmin interface of Axigen, which allows an authenticated user to read and delete arbitrary files with SYSTEM privileges. The vulnerability is known to work on Windows platforms. This module ha
CVSS scores for CVE-2012-4940
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2012-4940
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4940
-
http://www.kb.cert.org/vuls/id/586556
VU#586556 - Axigen Mail Server directory traversal vulnerabilityUS Government Resource
-
http://www.securityfocus.com/bid/56343
Axigen Mail Server 'fileName' Parameter Directory Traversal Vulnerability
Products affected by CVE-2012-4940
- cpe:2.3:a:gecad:axigen_free_mail_server:-:*:*:*:*:*:*:*