Unvalidated SSL Certificates in Evolution-EWS: A Gateway for Confidential Information Theft

Unvalidated SSL Certificates in Evolution-EWS: A Gateway for Confidential Information Theft

CVE-2019-3890 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:N

It was discovered evolution-ews before 3.31.3 does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.

Learn more about our Cis Benchmark Audit For Server Software.