CVE-2025-40631 | THREATINT

Description

HTTP host header injection vulnerability in Icewarp Mail Server affecting version 11.4.0. By modifying the Host header and adding a payload, arbitrary JavaScript code can be executed on page load. The user must interact with a malicious link to be redirected.

PUBLISHED Reserved 2025-04-16 | Published 2025-05-16 | Updated 2025-05-16 | Assigner INCIBE

LOW: 2.0CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax

Product status

Default status

unaffected

11.4.0

affected

Credits

Julen Garrido Estévez finder

References

www.incibe.es/...ultiple-vulnerabilities-icewarp-mail-server

cve.org (CVE-2025-40631)

nvd.nist.gov (CVE-2025-40631)

Download JSON