Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Critical Vulnerabilities Addressed in SecurEnvoy SecurMail

Multiple critical vulnerabilities impacting SecurEnvoy SecurMail could result in an attacker being able to read encrypted emails and even delete or overwrite messages in an inbox.

Multiple critical vulnerabilities impacting SecurEnvoy SecurMail could result in an attacker being able to read encrypted emails and even delete or overwrite messages in an inbox.

SecurEnvoy SecurMail was meant to provide businesses with secure email communications and claims to be offering organizations the full advantages of encryption without the hassle of deployment or management operations.

This week, SEC Consult revealed information on seven critical vulnerabilities in the product that “break the core security promises of the product,” as they can expose sensitive information to attackers.

The flaws were discovered during a short testing period in November 2017, SEC Consult reveals in an advisory. The discovered vulnerabilities were recently addressed with the release of SecurMail 9.2.501, or hotfix patch “1_012018.”

“As other SecureEnvoy products (besides the analyzed SecurMail) appear to be highly integrated (all products are installed with a single setup file) we suspect other components to also suffer from severe security deficits,” SEC Consult notes.

The discovered vulnerabilities include two Cross Site Scripting (CVE-2018-7703, CVE-2018-7707) flaws residing in the lack of functionality to encode user input when creating HTML pages.

The security firm also found that there are no path traversal checks in the application (CVE-2018-7705, CVE-2018-7706), and that authorization checks are only partially implemented in the application, an Insecure Direct Object Reference (CVE-2018-7704) vulnerability. These flaws could allow a legitimate recipient to read mails sent to other recipients in plain text.

The application was also plagued with a Missing Authentication and Authorization (CVE-2018-7702) flaw, where no authentication was required on the SecurEnvoy server for a client to send emails. This could allow anyone with network access to the server to arbitrarily send emails spoofing other sender addresses.

The issue could also be exploited by attackers with network access to the server to resend previous communication to arbitrary recipients. Thus, they could extract all emails stored on the server and could also modify arbitrary messages.

SecurEnvoy SecurMail was also impacted by a Cross Site Request Forgery (CVE-2018-7701) vulnerability, as no protections against such flaws existed within the web interface. Thus, an attacker could delete a victim’s email or impersonate the victim and reply to their emails. Attacks are possible against the API used to send emails, which do not require authentication on the server.

“Since these vulnerabilities were found during a very short time frame, SEC Consult believes that the product may contain a large number of other security vulnerabilities. As already several core security promises have been broken during this short crash test, no further tests were conducted,” SEC Consult notes.

The vulnerabilities were found in SecurEnvoy SecurMail version 9.1.501 and were addressed with security patch “1_012018.” Version 9.2.501 of the software is no longer vulnerable.

In their advisory, SEC Consult also published proof-of-concept code for the discovered vulnerabilities.

Related: Cisco Patches Flaws in Email Security, Other Products

Related: Mailsploit: Popular Email Apps Allow Spoofing, Code Injection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.