[原文]attachment.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to view other users' attachments by specifying the username and message ID in an HTTP request.
IceWarp Web Mail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests the attachment.html script with arbitrary user variables, which will disclose the contents of other user's e-mail attachments resulting in a loss of confidentiality.
Upgrade to version 5.2.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.