[原文]MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote authenticated users to gain sensitive information via an HTTP request to (1) calendar_d.html, (2) calendar_m.html, (3) calendar_w.html, or (4) calendar_y.html, which reveal the installation path.
IceWarp WebMail calendar_d.html id Variable Path Disclosure
Remote / Network Access
Loss of Confidentiality
IceWarp Web Mail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when improper parameters are provided to the calendar_d.html script, which will disclose the physical web path resulting in a loss of confidentiality.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.