CVE-2007-3275 - MailWasher Server before 2.2.1, when used with LDAP or Active Directory (AD), does not properly hand

CVE-2007-3275

Summary

MailWasher Server before 2.2.1, when used with LDAP or Active Directory (AD), does not properly handle blank passwords, which allows remote attackers to access an arbitrary user account and read the spam e-mail messages stored for that account, possibly related to the LoginCheck::doPost function in mwi/servlet/Login.cpp. NOTE: some of these details are obtained from third party information. Successful exploitation requires knowledge of a valid username and that MailWasher Server is integrated into an AD domain or LDAP repository.

References

Vulnerable Configurations

cpe:2.3:a:mailwasher:mailwasher_server:*:*:*:*:*:*:*:*
cpe:2.3:a:mailwasher:mailwasher_server:*:*:*:*:*:*:*:*

CVSS

Base:	7.1 (as of 29-07-2017 - 01:32)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:C/I:N/A:N

refmap via4

bid	24507
confirm	http://sourceforge.net/project/shownotes.php?release_id=515127
osvdb	37538
secunia	25695
vupen	ADV-2007-2239
xf	mailwasher-logincheck-unauthorized-access(34925)

Last major update

29-07-2017 - 01:32

Published

19-06-2007 - 21:30

Last modified

29-07-2017 - 01:32