CVE-2020-5541

CyberSolutions CyberMail Pre-Auth Open Redirect


Current Description

An Open Redirect vulnerability for all browsers in in CyberMail version 5 or later version, which will redirect to a malicious site without authentication. 

This vulnerability affects many mail system of governments, organizations, companies and universities.


Details

The injection point is ACTION parameter in "/cgi-bin/go".


We execute arbitrary code via ACTION parameter without authentication.


Description

It could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.


Affected files

http://`[Target Domain]`/cgi-bin/go


Contributor

  • Tony Kuo (CHT Security)