Multiple authenticated remote code execution (RCE) vulnerabilities were found on the SpamTitan Gateway 7.07 and probably in pervious versions: CVE-2020-11699: Improper validation of the parameter fname on the page certs-x.php would allow an attacker to execute remote code on the target server. The user has to be authenticated before interacting with this page. CVE-2020-11700: Improper sanitization of the parameter fname, used on the page certs-x.php, would allow an attacker to retrieve the contents of arbitrary files. The user has to be authenticated before interacting with this page. CVE-2020-11803: Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluatiom. The user has to be authenticated before interacting with this page. CVE-2020-11804: Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluatiom. The user has to be authenticated before interacting with this page.