IceWarp Server 11.1.2 addresses a critical security vulnerability in WebClient.

Security Advisory

In our continued efforts to keep our products on the highest security level, IceWarp regularly scans for vulnerabilities and exploits both internally and externally using several security agencies. The latest scan has uncovered two dangerous issues with critical to high risk potential.

1. There is potential for an attacker to obtain any file on the server if they knew the full path to the file.
   
   Affected products: WebClient desktop interface (11.1.x only), old WebClient desktop interface (11.1.x, 11.0.x, 10.4.x and older)
   Severity: critical
   
   
2. Cross Site Scripting (XSS) vulnerability in WebClient (incl. Tablet) could allow an attacker to send a malformed URL in an email, opening such email could execute a malicious JavaScript code.
   
   Affected products: WebClient desktop interface (11.1.x only), WebClient tablet interface (11.1.x, 11.0.x, 10.4.x and older)
   Severity: high

Affected Versions

Affected are all previous releases for Windows and Linux, including the old and the new WebClient advanced interface.

These problems look to have been there for many versions dating back to the original version 10 release but missed by each scan performed since then.

We patched both issues immediately to allow customers time to upgrade before any information is released by the security firm. With the vulnerabilities being present for quite some time these are both highly unlikely to have ever been found or used by any attacker.

Solution

We strongly recommend to all customers to upgrade to the latest version 11.1.2 or any upgrades released in the future as a pre-emptive security measure.

https://www.icewarp.com/downloads/

The upgrade is free to all customers who have already installed 11.1. Customers with older versions need to have valid software maintenance in order to upgrade. If in any doubt or you have further questions, please contact your sales representative or email us at:

sales@icewarp.com

Other Improvements

IceWarp Server 11.1.2 also includes other highly-requested improvements:

• Meeting invitations in Outlook will no longer become duplicated in the calendar when accepted in WebClient.
• Downloading mail attachments on Android devices is more reliable in all protocol versions.
• We have implemented a workaround for an iOS 8 bug causing events in secondary calendars to appear as unaccepted invitations, which could not be edited.
• Desktop Client has been updated to work seamlessly with the latest version of server.

We will regularly update this Knowledge Base article with any new security information.