CVE-2002-0490

Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/4361	Patch Vendor Advisory
http://www.iss.net/security_center/static/8650.php	Patch Vendor Advisory
http://www.securityfocus.com/archive/1/264041	Vendor Advisory
http://instantwebmail.sourceforge.net/#changeLog

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:instant_web_mail:instant_web_mail:0.55:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.56:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.57:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.59:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.58:::::::*

Information

Published : 2002-08-11 21:00

Updated : 2008-09-05 13:28

NVD link : CVE-2002-0490

Mitre link : CVE-2002-0490

JSON object : View

CWE

NVD-CWE-Other

Advertisement

Products Affected

instant_web_mail

instant_web_mail

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/4361", "name": "4361", "tags": ["Patch", "Vendor Advisory"], "refsource": "BID"}, {"url": "http://www.iss.net/security_center/static/8650.php", "name": "instant-webmail-pop-commands(8650)", "tags": ["Patch", "Vendor Advisory"], "refsource": "XF"}, {"url": "http://www.securityfocus.com/archive/1/264041", "name": "20020323 Instant Web Mail additional POP3 commands and mail headers", "tags": ["Vendor Advisory"], "refsource": "BUGTRAQ"}, {"url": "http://instantwebmail.sourceforge.net/#changeLog", "name": "http://instantwebmail.sourceforge.net/#changeLog", "tags": [], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2002-0490", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": true, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2002-08-12T04:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.55:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.56:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.57:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.59:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.58:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2008-09-05T20:28Z"}