Aurora
by Afterlogic
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-12460 | Med | 0.34 | — | 0.00 | Oct 31, 2025 | An XSS issue was discovered in Afterlogic Aurora webmail version 9.8.3 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img HTML tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail… | ||
| CVE-2017-14597 | Med | 0.31 | 4.8 | 0.01 | Sep 19, 2017 | AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the txtDomainName field to adminpanel/modules/pro/inc/ajax.php during addition of a domain. | ||
| CVE-2025-59687 | Med | 0.28 | 4.3 | 0.00 | Oct 1, 2025 | IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization. | ||
| CVE-2021-26294 | 0.07 | — | 0.17 | Mar 7, 2021 | An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when… | |||
| CVE-2021-26293 | 0.04 | — | 0.07 | Mar 4, 2021 | An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable file under the web root). This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x. | |||
| CVE-2009-3365 | 0.03 | — | 0.02 | Sep 24, 2009 | PHP remote file inclusion vulnerability in add-ons/modules/sysmanager/plugins/install.plugin.php in Aurora CMS 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the AURORA_MODULES_FOLDER parameter. | |||
| CVE-2019-19129 | 0.00 | — | 0.01 | Nov 26, 2019 | Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name. | |||
| CVE-2019-16238 | 0.00 | — | 0.01 | Sep 12, 2019 | Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login. |
- risk 0.34cvss —epss 0.00
An XSS issue was discovered in Afterlogic Aurora webmail version 9.8.3 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img HTML tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail…
- risk 0.31cvss 4.8epss 0.01
AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the txtDomainName field to adminpanel/modules/pro/inc/ajax.php during addition of a domain.
- risk 0.28cvss 4.3epss 0.00
IMPAQTR Aurora before 1.36 allows Insecure Direct Object Reference attacks against the users list, organization details, bookmarks, and notifications of an arbitrary organization.
- CVE-2021-26294Mar 7, 2021risk 0.07cvss —epss 0.17
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when…
- CVE-2021-26293Mar 4, 2021risk 0.04cvss —epss 0.07
An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail Pro through 8.5.3, when DAV is enabled. They allow directory traversal to create new files (such as an executable file under the web root). This is related to DAVServer.php in 8.x and DAV/Server.php in 7.x.
- CVE-2009-3365Sep 24, 2009risk 0.03cvss —epss 0.02
PHP remote file inclusion vulnerability in add-ons/modules/sysmanager/plugins/install.plugin.php in Aurora CMS 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the AURORA_MODULES_FOLDER parameter.
- CVE-2019-19129Nov 26, 2019risk 0.00cvss —epss 0.01
Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11, allows Remote Stored XSS via an attachment name.
- CVE-2019-16238Sep 12, 2019risk 0.00cvss —epss 0.01
Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged for session hijacking by retrieving the session cookie from the administrator login.