CVE-2006-5262
published 2006-10-12CVE-2006-5262: CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands…
PriorityP431medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
2.54%
83.0th percentile
CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name. NOTE: the attack crosses privilege boundaries if the IMAP server configuration prevents a user from establishing a direct IMAP session.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hastymail | hastymail | <= 1.5 | — |
| hastymail | hastymail | — | — |
| hastymail | hastymail | — | — |
| hastymail | hastymail | — | — |
| hastymail | hastymail | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p8h5-3rhg-9c2x: CRLF injection vulnerability in lib/session
ghsa_unreviewed·2022-05-01
CVE-2006-5262 [MEDIUM] GHSA-p8h5-3rhg-9c2x: CRLF injection vulnerability in lib/session
CRLF injection vulnerability in lib/session.php in Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary IMAP commands via a CRLF sequence in a mailbox name. NOTE: the attack crosses privilege boundaries if the IMAP server configuration prevents a user from establishing a direct IMAP session.
GHSA
GHSA-qgqm-rhx5-mcpm: Hastymail 1
ghsa_unreviewed·2022-05-01·CVSS 6.5
CVE-2006-5313 [MEDIUM] CWE-20 GHSA-qgqm-rhx5-mcpm: Hastymail 1
Hastymail 1.5 and earlier before 20061008 allows remote authenticated users to send arbitrary SMTP commands by placing them after a CRLF.CRLF sequence in the smtp_message parameter. NOTE: this crosses privilege boundaries if the SMTP server configuration prevents a user from establishing a direct SMTP session. NOTE: this is a different type of issue than CVE-2006-5262.
No detection rules found.
No writeups or analysis indexed.
http://hastymail.sourceforge.net/security.phphttp://secunia.com/advisories/22308http://www.securityfocus.com/archive/1/453417/100/0/threadedhttp://www.securityfocus.com/bid/20424http://www.vupen.com/english/advisories/2006/3956https://exchange.xforce.ibmcloud.com/vulnerabilities/29407http://hastymail.sourceforge.net/security.phphttp://secunia.com/advisories/22308http://www.securityfocus.com/archive/1/453417/100/0/threadedhttp://www.securityfocus.com/bid/20424http://www.vupen.com/english/advisories/2006/3956https://exchange.xforce.ibmcloud.com/vulnerabilities/29407
2006-10-12
Published