CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
58.3%
This vulnerability can be exploited by an unauthenticated attacker and opens the possibility of not only attacking other local services, but also the router of the home network. The ability to receive and write CSS files can be used by the attacker to find out what other services are running on devices in the network or what kind of router is used etc. before running additional attacks.
It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6
Users can manually delete the file located at ./vendor/cerdic/css-tidy/css_optimiser.php
If you have any questions or comments about this advisory: