Claws-Mail vulnerabilities

CVE-2021-37746 [MEDIUM] CWE-601 CVE-2021-37746: textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, d textview_uri_security_check in textview.c in Claws Mail before 3.18.0, and Sylpheed through 3.7.0, does not have sufficient link checks before accepting a click.

CVE-2020-16094 [HIGH] CWE-674 CVE-2020-16094: In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP server can trigger stack In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious IMAP server can trigger stack consumption because of unlimited recursion into subdirectories during a rebuild of the folder tree.

CVE-2020-15917 [CRITICAL] CVE-2020-15917: common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STAR common/session.c in Claws Mail before 3.17.6 has a protocol violation because suffix data after STARTTLS is mishandled.

CVE-2015-8708 [HIGH] CVE-2015-8708: Stack-based buffer overflow in the conv_euctojis function in codeconv.c in Claws Mail 3.13.1 allows Stack-based buffer overflow in the conv_euctojis function in codeconv.c in Claws Mail 3.13.1 allows remote attackers to have unspecified impact via a crafted email, involving Japanese character set conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8614.

CVE-2015-8614 [HIGH] CWE-119 CVE-2015-8614: Multiple stack-based buffer overflows in the (1) conv_jistoeuc, (2) conv_euctojis, and (3) conv_sjis Multiple stack-based buffer overflows in the (1) conv_jistoeuc, (2) conv_euctojis, and (3) conv_sjistoeuc functions in codeconv.c in Claws Mail before 3.13.1 allow remote attackers to have unspecified impact via a crafted email, involving Japanese character set conversion.

CVE-2014-2576 [MEDIUM] CWE-310 CVE-2014-2576: plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_SSL_VERIFYHOST check for CN or plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks.

CVE-2010-5109 [MEDIUM] CVE-2010-5109: Off-by-one error in the DecompressRTF function in ytnef Off-by-one error in the DecompressRTF function in ytnef.c in Yerase's TNEF Stream Reader allows remote attackers to cause a denial of service (crash) via a crafted TNEF file, which triggers a buffer overflow.

CVE-2012-4507 [MEDIUM] CVE-2012-4507: The strchr function in procmime.c in Claws Mail (aka claws-mail) 3.8.1 allows remote attackers to ca The strchr function in procmime.c in Claws Mail (aka claws-mail) 3.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted email.

CVE-2007-6208 [LOW] CVE-2007-6208: sylprint sylprint.pl in claws mail tools (claws-mail-tools) allows local users to overwrite arbitrary files via a symlink attack on the sylprint.[USER].[PID] temporary file.

CVE-2007-1558 [LOW] CVE-2007-1558: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.