[原文]Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to gain sensitive information via a direct request to (1) accountsettings_add.html or (2) topmenu.html.
IceWarp Web Mail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker directly requests the accountsettings_add.html script, which will disclose the physical path of the web server information resulting in a loss of confidentiality.
Upgrade to version 5.2.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.