CVE-2002-0490 - Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers

CVE-2002-0490

Summary

Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php.

References

Vulnerable Configurations

cpe:2.3:a:instant_web_mail:instant_web_mail:0.55:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.55:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.56:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.56:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.57:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.57:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.58:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.58:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.59:*:*:*:*:*:*:*
cpe:2.3:a:instant_web_mail:instant_web_mail:0.59:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 05-09-2008 - 20:28)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

refmap via4

bid	4361
bugtraq	20020323 Instant Web Mail additional POP3 commands and mail headers
confirm	http://instantwebmail.sourceforge.net/#changeLog
xf	instant-webmail-pop-commands(8650)

Last major update

05-09-2008 - 20:28

Published

12-08-2002 - 04:00

Last modified

05-09-2008 - 20:28