CVE-2021-26293

An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable file under the web root). This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x.

Published: Mar 4, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-26293
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
afterlogic / aurora	-	8.5.3.x
afterlogic / webmail_pro	-	8.5.3.x

https://auroramail.wordpress.com/2021/02/03/addressing-dav-related-vulnerability-in-webmail-and-aurora/

Vulnerability Database

289,599

CVE-2021-26293