CRLF Injection Vulnerability in IceWarp eMail Server and WebMail Server
CVE-2009-1469

Currently unrated

Key Information:

Vendor

Icewarp

Status
Email Server
Webmail Server
Vendor
CVE Published:
5 May 2009

What is CVE-2009-1469?

The CRLF injection vulnerability in IceWarp eMail Server and WebMail Server allows remote attackers to manipulate the 'Forgot Password' functionality. This weakness enables attackers to craft deceptive email messages that can trick users into inadvertently disclosing their credentials. The issue arises from the inclusion of CRLF sequences before the Reply-To header in the XML document's subject element. When the server generates an email containing valid user credentials, users may be misled into responding with sensitive information.

References

http://osvdb.org/54229
vdb-entryx_refsource_OSVDB
http://www.redteam-pentesting.de/advisories/rt-sa-2009-004
x_refsource_MISC
http://www.securityfocus.com/bid/34827
vdb-entryx_refsource_BID

EPSS Score

5% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.