Skip to content

Instantly share code, notes, and snippets.

@Drun1baby
Last active February 26, 2024 07:42
Show Gist options
  • Save Drun1baby/8270239bed2952dbd99cc8d4262728e8 to your computer and use it in GitHub Desktop.
Save Drun1baby/8270239bed2952dbd99cc8d4262728e8 to your computer and use it in GitHub Desktop.
CVE-2024-25501 For Winmail Description

[Suggested description]

An issue WinMail v.7.1 and v.5.1 and before allows a remote attacker to execute arbitrary code via a crafted script to the email parameter.

[Additional Information]

I have completed vulnerability feedback with the manufacturer and they have issued patches

[Vulnerability Type]

Incorrect Access Control

[Vendor of Product]

https://www.winmail.cn/download.php

[Affected Product Code Base]

Winmail - <= 7.1: <= 5.1 Pro

[Affected Component]

The WinMail email system has significant security vulnerabilities, allowing attackers to unauthorized access to all victim email content, even tampering with account passwords and taking over account permissions

[Attack Type]

Remote

[Impact Escalation of Privileges]

true

[Impact Information Disclosure]

true

[Attack Vectors]

When the victim clicks on the email, a vulnerability can be triggered

[Reference]

https://www.winmail.cn/

[Has vendor confirmed or acknowledged the vulnerability?]

true

[Discoverer]

Drunkbaby From X-Mirror-Lab

Use CVE-2024-25501.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment