Multiple vulnerabilities have been identified in the application that may allow an attacker to carry out cross-site scripting attacks and disclose the path to the victim's home directory. The issues are reported to exist in the login script, 'emumail.fcgi' script and the 'init.emu' sample script.
EMU Webmail 5.2.7 has been reported to be affected by these issues.
EMUMAIL WebMail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker requests the "init.emu" script without parameters, which will disclose the physical path of the script resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.