Skip to main content

Mail Server EUVDEUVD-2025-201170

| CVE-2025-2848 MEDIUM
Missing Authorization (CWE-862)
2025-12-04 security@synology.com
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.7.6-20676,1.7.6-10676
EUVD ID Assigned
Mar 15, 2026 - 16:35 euvd
EUVD-2025-201170
Analysis Generated
Mar 15, 2026 - 16:35 vuln.today
CVE Published
Dec 04, 2025 - 15:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions.

Analysis

A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862).

RemediationAI

Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.

CVE-2023-39699 CRITICAL POC
9.8 Aug 25

IceWarp Mail Server v10.4.5 was discovered to contain a local file inclusion (LFI) vulnerability via the component /cale

CVE-2020-23824 HIGH POC
8.8 Sep 11

ArGo Soft Mail Server 1.8.8.9 is affected by Cross Site Request Forgery (CSRF) for perform remote arbitrary code executi

CVE-2019-12593 HIGH POC
7.5 Jun 03

IceWarp Mail Server through 10.4.4 is prone to a local file inclusion vulnerability via webmail/calendar/minimizer/index

CVE-2021-36580 MEDIUM POC
6.1 Jul 27

Open Redirect vulnerability exists in IceWarp MailServer IceWarp Server Deep Castle 2 Update 1 (13.0.1.2) via the refere

CVE-2023-39700 MEDIUM POC
6.1 Aug 25

IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the color

CVE-2020-27982 MEDIUM POC
6.1 Nov 02

IceWarp 11.4.5.0 allows XSS via the language parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely

CVE-2018-16324 MEDIUM POC
6.1 Sep 01

In IceWarp Server 12.0.3.1 and before, there is XSS in the /webmail/ username field. Rated medium severity (CVSS 6.1), t

CVE-2018-7475 MEDIUM POC
6.1 Jun 30

Cross-site scripting (XSS) vulnerability for webdav/ticket/ URIs in IceWarp Mail Server 12.0.3 allows remote attackers t

CVE-2025-40630 MEDIUM POC
5.1 May 16

Open redirection vulnerability in IceWarp Mail Server affecting version 11.4.0. Rated medium severity (CVSS 5.1), this v

CVE-2017-12844 MEDIUM POC
4.8 Aug 23

Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp Mail Server 10.4.4 allows remote authenticated do

CVE-2020-14066 HIGH
8.8 Jul 15

IceWarp Email Server 12.3.0.1 allows remote attackers to upload JavaScript files that are dangerous for clients to acces

CVE-2020-14065 MEDIUM
6.5 Jul 15

IceWarp Email Server 12.3.0.1 allows remote attackers to upload files and consume disk space. Rated medium severity (CVS

Share

EUVD-2025-201170 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy