Release overview
Release Date: 10 Feb 2015
Release Versions: On-Premises v7.5.0.2
⚠ Please Note:
Version 7.5.0.2 contains security fixes for the atmail 7.5.0 release. For full details on the atmail 7.5.0 release, click here.
Defect Fixes
| Component/s Impacted | Impact Category | Issue Outline | Impact Description / New User Experiance | User/s Impacted |
|---|---|---|---|---|
| Email, Email - Attachments, Web User Interface. | Security | Stored XSS in Received email. |
If user receives an email with an image attachment, when user clicks on the image, the applications allows the browser to render the image instead of prompting download option.Therefore, if the user receives an image attachment with stored XSS, when user clicks on the attachment name, the script will be executed. |
End users who use the web user interface. |
| Storage, Web User Interface. | Security | Reflected Self-XSS - Webdav File upload. |
When user uploads a file to Web UI >> Storage, if name of uploaded file consist of html/js payload, it will be executed while uploading. Attacker would need to induce user to upload crafted file. Resolution: Filter characters that maybe part of HTML/JS elements from within the file name. |
End users who use the web user interface. |
| Calendar, Calendar Events, Web User Interface. | Security | Reflected XSS - Calendar Popup. | When an attacker knows proper values for contextid, event id, and relative_href for a specific users calendar event, "Edit Event" request can be exploited. | End users who use the web user interface. |
| Contacts, Import/Export Contacts, Web User Interface. | Security | CSRF - Add Contact. | Security vulnerability that allows an attacker to exploit Web UI >> Contacts >> Import function to add contacts to a compromised user's address book. | End users who use the web user interface. |
| Contacts, Web User Interface. | Security | CSRF - Add Photo to Contact. | Security vulnerability that allows an attacker to exploit Web UI >> Contacts >> Edit Contact Image function to add contact images to a compromised user's address book. | End users who use the web user interface. |
| Mobile/Accessibility User Interface, User - Settings. | Security | Mobile UI - CSRF - Change account settings. | Security vulnerability that allows an attacker to exploit Mobile UI >> Edit User Settings function to change compromised user's user settings. | End users who use the mobile/accessibility user interface. |
| Calendar, Calendar Events, Mobile/Accessibility User Interface. | Security | Mobile UI - CSRF - Add Event do Calendar. |
Security vulnerability that allows an attacker to exploit Mobile UI >> Calendars >> Create Calendar Event function to add calendar events to a compromised user's calendar. |
End users who use the mobile/accessibility user interface. |
| Email, Mobile/Accessibility User Interface. | Security | Mobile UI - CSRF via XSS - Send email. | Security vulnerability that allows an attacker to exploit Mobile UI >> Email >> Send email function to send emails on behalf of the compromised user. | End users who use the mobile/accessibility user interface. |
| Email - Attachments, Mobile/Accessibility User Interface, Web User Interface. | Security | Send attachment Mime-type in headers when user clicks on attachment to download. |
Currently when user clicks on an email attachment, browser decides the type of the attachment and recommends an available application to open. With this change, the atmail application will specify the MIME Type of the attachment, so that browser's download option window will provide recommendations based on MIME type sent in headers, rather than browser detected type. |
End users who use the web user interface. |
| Server Installation / Server Install Script | Functionality | Change the Spam Assassin update panel to use the default SA mirror instead of atmail mirror for SA. |
Currently SA update panel use the atmail SA mirror to perform SA update during atmail server install. Currently atmail SA mirror is not accessible. |
System administrators who installs atmail server. |
Comments