The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.
References
Configurations
History
21 Nov 2024, 01:13
Type | Values Removed | Values Added |
---|---|---|
References | () http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html - Exploit | |
References | () http://bugs.debian.org/573228 - | |
References | () http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038535.html - | |
References | () http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038572.html - | |
References | () http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038777.html - | |
References | () http://osvdb.org/62809 - | |
References | () http://secunia.com/advisories/38840 - Vendor Advisory | |
References | () http://secunia.com/advisories/38956 - Vendor Advisory | |
References | () http://secunia.com/advisories/39265 - Vendor Advisory | |
References | () http://www.debian.org/security/2010/dsa-2021 - | |
References | () http://www.exploit-db.com/exploits/11662 - Exploit | |
References | () http://www.securityfocus.com/bid/38578 - Exploit | |
References | () http://www.securitytracker.com/id?1023691 - | |
References | () http://www.vupen.com/english/advisories/2010/0559 - Vendor Advisory | |
References | () http://www.vupen.com/english/advisories/2010/0683 - Vendor Advisory | |
References | () http://www.vupen.com/english/advisories/2010/0837 - Vendor Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=572117 - | |
References | () https://exchange.xforce.ibmcloud.com/vulnerabilities/56732 - | |
References | () https://savannah.nongnu.org/bugs/?29136 - |
Information
Published : 2010-03-27 19:07
Updated : 2024-11-21 01:13
NVD link : CVE-2010-1132
Mitre link : CVE-2010-1132
CVE.ORG link : CVE-2010-1132
JSON object : View
Products Affected
georg_greve
- spamassassin_milter_plugin
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')