The webmail package embedded in Merak Mail Server is reported prone to multiple vulnerabilities.
The vulnerabilities reported are:
- Multiple cross-site scripting vulnerabilities
- An HTML injection vulnerability
- A PHP source code disclosure vulnerability
- An SQL injection vulnerability
These vulnerabilities are reported to exist in versions prior to 7.5.2.
Merak Mail Server contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "schedule" variable in the calendar.html script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 7.5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.