VYPR

Aurora

by Afterlogic

CVEs (8)

  • CVE-2025-12460MedOct 31, 2025
    risk 0.34cvss epss 0.00

    An XSS issue was discovered in Afterlogic Aurora webmail version 9.8.3 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img HTML tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail…

  • CVE-2017-14597MedSep 19, 2017
    risk 0.31cvss 4.8epss 0.01

    AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the txtDomainName field to adminpanel/modules/pro/inc/ajax.php during addition of a domain.

  • CVE-2025-59687MedOct 1, 2025
    risk 0.28cvss 4.3epss 0.00

    IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization.

  • CVE-2021-26294Mar 7, 2021
    risk 0.07cvss epss 0.17

    An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when…

  • CVE-2021-26293Mar 4, 2021
    risk 0.04cvss epss 0.07

    An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable file under the web root). This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x.

  • CVE-2009-3365Sep 24, 2009
    risk 0.03cvss epss 0.02

    PHP remote file inclusion vulnerability in add-ons/modules/sysmanager/plugins/install.plugin.php in Aurora CMS 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the AURORA_MODULES_FOLDER parameter.

  • CVE-2019-19129Nov 26, 2019
    risk 0.00cvss epss 0.01

    Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.

  • CVE-2019-16238Sep 12, 2019
    risk 0.00cvss epss 0.01

    Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login.