Key vulnerability information obtained from the web screenshot is as follows: ### Vulnerability Overview - **Vulnerability ID**: JVN#92720882 - **Disclosure Date**: September 5, 2023 - **Last Updated**: September 5, 2023 The following vulnerabilities exist in the CGI components associated with PMailServer / PMailServer2: 1. Arbitrary JavaScript code execution in the scheduler of the associated Webmail (pmum.exe). 2. Ability to upload executable files other than image files and execute them remotely in the associated announcement mail (pmc.exe). 3. File retrieval vulnerability in the associated mailing list search (pmmls.exe), allowing access to arbitrary files. 4. Vulnerability in the simple web server associated with the server manager, allowing access to files outside the DocumentRoot via HTTP/HTTPS. 5. Input containing HTML tags can be directly output and executed in CGI (pmam.exe / pmum.exe / pmc.exe), leading to XSS (Cross-Site Scripting). ### Affected Versions - PMailServer Free Edition (pmam.exe) - PMailServer versions prior to 1.91: Standard Edition, Professional Edition, Standard + IMAP4 Edition, Professional + IMAP4 Edition - PMailServer2 versions prior to 2.51a: Standard Edition, Professional Edition, Standard + IMAP4 Edition, Professional + IMAP4 Edition, Enterprise Edition ### Verification Method Check the version information of the relevant files via Windows Explorer. ### Mitigation Measures 1. When using PMailServer2, copy the related update files to the publicly accessible website directory. 2. For the Free Edition and older PMailServer versions that cannot be updated, it is recommended to upgrade to PMailServer2. ### Detailed Vulnerability Descriptions and Countermeasures 1. Arbitrary JavaScript injection and execution in Webmail; countermeasure: escape HTML tags. 2. Non-image file upload and execution in announcement mail; countermeasure: prohibit upload of non-image files. 3. Arbitrary file retrieval in mailing list search; countermeasure: restrict access to unpublicized mail files. 4. Access to files outside DocumentRoot; countermeasure: restrict access to files outside DocumentRoot. 5. Execution of HTML tag input; countermeasure: escape input characters. ### Workaround Strategies When using PMailServer2, it is recommended to upgrade to version 2.51a or later. For legacy versions that cannot be updated, implement access restrictions and consider upgrading to PMailServer2.