CVE-2006-5262

CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name. NOTE: the attack crosses privilege boundaries if the IMAP server configuration prevents a user from establishing a direct IMAP session.

Referenced by CVEs: CVE-2006-5313
Score6.5
Access VectorNETWORK
Access ComplexityLOW
AuthenticationSINGLE_INSTANCE
Confidentiality ImpactPARTIAL
Integrity ImpactPARTIAL
Availability ImpactPARTIAL
Published2006-10-12 06:07:00.000-04
Last Modified2018-10-17 05:41:56.000-04

Vulnerable Software List

VendorProductVersions
Hastymail Hastymail 1.0.1, 1.0.2, 1.1, 1.2, 1.5

References

SourceLink
CONFIRMhttp://hastymail.sourceforge.net/security.php
BUGTRAQ20061202 [ISecAuditors Security Advisories] IMAP/SMTP Injection in Hastymail
BID20424
VUPENADV-2006-3956
XFhastymail-imap-command-execution(29407)