CVE-2006-5262 - Vulnerability Details - OpenCVE

CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name. NOTE: the attack crosses privilege boundaries if the IMAP server configuration prevents a user from establishing a direct IMAP session.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hastymail	Hastymail

Configuration 1 [-]

OR	cpe:2.3:a:hastymail:hastymail::::::::
	cpe:2.3:a:hastymail:hastymail:1.0.1:::::::*
	cpe:2.3:a:hastymail:hastymail:1.0.2:::::::*
	cpe:2.3:a:hastymail:hastymail:1.1:::::::*
	cpe:2.3:a:hastymail:hastymail:1.2:::::::*

No data.

References

Link	Providers
http://hastymail.sourceforge.net/security.php
http://secunia.com/advisories/22308
http://www.securityfocus.com/archive/1/453417/100/0/threaded
http://www.securityfocus.com/bid/20424
http://www.vupen.com/english/advisories/2006/3956
https://exchange.xforce.ibmcloud.com/vulnerabilities/29407

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2006-10-12T22:00:00

Updated: 2024-08-07T19:41:05.343Z

Reserved: 2006-10-12T00:00:00

Link: CVE-2006-5262

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2006-10-12T22:07:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2006-5262

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2006-10-08T00:00:00", "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name. NOTE: the attack crosses privilege boundaries if the IMAP server configuration prevents a user from establishing a direct IMAP session."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-17T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "hastymail-imap-command-execution(29407)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29407"}, {"name": "20061202 [ISecAuditors Security Advisories] IMAP/SMTP Injection in Hastymail", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/453417/100/0/threaded"}, {"name": "ADV-2006-3956", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2006/3956"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://hastymail.sourceforge.net/security.php"}, {"name": "22308", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/22308"}, {"name": "20424", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/20424"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2006-5262", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name. NOTE: the attack crosses privilege boundaries if the IMAP server configuration prevents a user from establishing a direct IMAP session."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "hastymail-imap-command-execution(29407)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29407"}, {"name": "20061202 [ISecAuditors Security Advisories] IMAP/SMTP Injection in Hastymail", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/453417/100/0/threaded"}, {"name": "ADV-2006-3956", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2006/3956"}, {"name": "http://hastymail.sourceforge.net/security.php", "refsource": "CONFIRM", "url": "http://hastymail.sourceforge.net/security.php"}, {"name": "22308", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/22308"}, {"name": "20424", "refsource": "BID", "url": "http://www.securityfocus.com/bid/20424"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T19:41:05.343Z"}, "title": "CVE Program Container", "references": [{"name": "hastymail-imap-command-execution(29407)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29407"}, {"name": "20061202 [ISecAuditors Security Advisories] IMAP/SMTP Injection in Hastymail", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/453417/100/0/threaded"}, {"name": "ADV-2006-3956", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2006/3956"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://hastymail.sourceforge.net/security.php"}, {"name": "22308", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/22308"}, {"name": "20424", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/20424"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2006-5262", "datePublished": "2006-10-12T22:00:00", "dateReserved": "2006-10-12T00:00:00", "dateUpdated": "2024-08-07T19:41:05.343Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hastymail:hastymail:*:*:*:*:*:*:*:*", "matchCriteriaId": "C057FFFB-5146-4155-BBFE-FD864EC6F3F2", "versionEndIncluding": "1.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:hastymail:hastymail:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "D6CF81CA-866C-4FEB-85F6-3D0CA7F45796", "vulnerable": true}, {"criteria": "cpe:2.3:a:hastymail:hastymail:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "F83082A4-8673-446E-BB6D-7F25CB5B6159", "vulnerable": true}, {"criteria": "cpe:2.3:a:hastymail:hastymail:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "AFD204DC-5C9A-4057-9AFD-F1213F817979", "vulnerable": true}, {"criteria": "cpe:2.3:a:hastymail:hastymail:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "09A0A189-B782-4ABE-BCFD-492E076D249F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name. NOTE: the attack crosses privilege boundaries if the IMAP server configuration prevents a user from establishing a direct IMAP session."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n de CRLF en lib/session.php en Hastymail 1.5 y versiones anteriores a 20061008 permite a usuarios remotos autenticados enviar \u00f3rdenes IMAP mediante una secuencia CRLF en el nombre del buz\u00f3n (mailbox). NOTA: el ataque cruza los l\u00edmites de los permisos si la configuraci\u00f3n del servidor IMAP evita que los usuarios establezcan sesiones directas IMAP.\r\n"}], "id": "CVE-2006-5262", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2006-10-12T22:07:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://hastymail.sourceforge.net/security.php"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/22308"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/453417/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/20424"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2006/3956"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29407"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://hastymail.sourceforge.net/security.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://secunia.com/advisories/22308"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/453417/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://www.securityfocus.com/bid/20424"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.vupen.com/english/advisories/2006/3956"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29407"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}