Login Sign Up

CVE-2020-23776

7.5 HIGH
SSRF

📋 TL;DR

This is a Server-Side Request Forgery (SSRF) vulnerability in Winmail 6.5 that allows attackers to manipulate the server into making unauthorized HTTP requests to internal or external systems. Attackers can exploit this by modifying the HOST header when HTTPS is enabled. Organizations running Winmail 6.5 with HTTPS enabled are affected.

💻 Affected Systems

Products:
  • Winmail
Versions: 6.5
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when HTTPS is enabled. HTTP configurations are not affected.

📦 What is this software?

Winmail by Winmail Project

View all CVEs affecting Winmail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker could access internal services, exfiltrate sensitive data, or pivot to other systems within the network.

🟠

Likely Case

Information disclosure from internal services, potential credential theft from metadata services, or scanning of internal network resources.

🟢

If Mitigated

Limited to unsuccessful connection attempts or access to non-sensitive endpoints if proper network segmentation and input validation are in place.

🌐 Internet-Facing: HIGH - The vulnerability exists in app.php which is typically internet-accessible in webmail systems.
🏢 Internal Only: MEDIUM - While still exploitable internally, external attackers pose greater risk due to potential network pivoting.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation required. No authentication needed. Public GitHub issue demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Disable HTTPS

all

Temporarily disable HTTPS to mitigate the vulnerability since it only affects HTTPS configurations

Modify web server configuration to disable HTTPS/SSL

Input Validation Filter

all

Add input validation to reject malicious key parameter values

Edit app.php to validate and sanitize the key parameter before processing

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Winmail server from internal resources
  • Deploy web application firewall (WAF) with SSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Test by sending a request to app.php with manipulated key parameter and HOST header while HTTPS is enabled

Check Version:

Check Winmail version in admin interface or configuration files

Verify Fix Applied:

Verify that manipulated requests no longer result in server making external requests

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Winmail server
  • Requests to internal IP addresses from Winmail
  • Multiple failed connection attempts to unusual domains

Network Indicators:

  • Winmail server making unexpected HTTP requests to internal services
  • Outbound connections to unusual ports from Winmail server

SIEM Query:

source="winmail" AND (dest_ip IN internal_ranges OR dest_port!=443)

📊 Metadata

CVE ID: CVE-2020-23776
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-918
Published: January 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23776, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)