Volerion logoVolerion
Volerion logoVolerion

GFI MailEssentials XML External Entity Vulnerability Allowing Arbitrary File Read

Vulnerability

A vulnerability allowing XML External Entity (XXE) attacks has been identified in GFI MailEssentials versions prior to 21.8. This issue allows authenticated, remote attackers to send crafted HTTP requests that can read arbitrary system files.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive system files, potentially allowing for further attacks or information disclosure.

Reproduction

The vulnerability can be reproduced by uploading a specially crafted XML file through the GFI MailEssentials web interface. The file must be processed by the 'ImportAntiPhisingKeywordList' method of the 'MEC.Configuration.RemotingHelper' class, which contains the XXE sink. Once the file is uploaded, the XXE payload is executed, fetching the desired file from the system.

Remediation

Users are advised to upgrade to GFI MailEssentials version 21.8 or later, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
3.3
exploitability
6.2
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.