CVE-2002-0490

Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php.

CVSS v2.0 10.0 HIGH

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://instantwebmail.sourceforge.net/#changeLog
http://www.iss.net/security_center/static/8650.php	Patch Vendor Advisory
http://www.securityfocus.com/archive/1/264041	Vendor Advisory
http://www.securityfocus.com/bid/4361	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:instant_web_mail:instant_web_mail:0.55:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.56:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.57:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.58:::::::*
	cpe:2.3:a:instant_web_mail:instant_web_mail:0.59:::::::*

History

No history.

Information

Published : 2002-08-12 04:00

Updated : 2024-02-04 16:31

NVD link : CVE-2002-0490

Mitre link : CVE-2002-0490

CVE.ORG link : CVE-2002-0490

JSON object : View

Products Affected

instant_web_mail

instant_web_mail

CWE

NVD-CWE-Other

{"id": "CVE-2002-0490", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": true, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2002-08-12T04:00:00.000", "references": [{"url": "http://instantwebmail.sourceforge.net/#changeLog", "source": "cve@mitre.org"}, {"url": "http://www.iss.net/security_center/static/8650.php", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/264041", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/4361", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php."}], "lastModified": "2008-09-05T20:28:09.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.55:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F61E0C8E-7C59-4D06-BBDF-254891F3F517"}, {"criteria": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.56:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1CEFD56D-959B-4BB6-8376-CE3062F1CCFF"}, {"criteria": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.57:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7C10550-FD9A-4467-B904-33CF68B2419C"}, {"criteria": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.58:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C550C08-5DC2-4386-B4F2-8B7B31887538"}, {"criteria": "cpe:2.3:a:instant_web_mail:instant_web_mail:0.59:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64AE4E6A-8881-4949-93A2-03894FBD0679"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}