CVE-2021-26294

Description

An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_user account (with caldav_public_user as its password).

NVD
Severity: HIGH
CVE ID: CVE-2021-26294
CVSS Score: 7.5
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Refrence: NVD MITRE

Proof Of Concept

Nuclei Templates for CVE-2021-26294

Refrence: Project Discovery GitHub

dorkerdevil

Directory Traversal in Afterlogic webmail aurora and pro

Refrence: GitHub

Description​

Proof Of Concept​

Description

Proof Of Concept