Debian Courier vulnerabilities
14 known vulnerabilities affecting debian/courier.
Total CVEs
14
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM8LOW2
Vulnerabilities
Page 1 of 1
CVE-2004-0777P3MEDIUMCVSS 7.5PoCfixed in courier 0.45.6-1 (bookworm)2004
CVE-2004-0777 [HIGH] CVE-2004-0777: courier - Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 thr...
Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 through 2.2.1 and 3.x through 3.0.3, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.
Scope: local
bookworm: resolved (fixed in 0.45.6-1)
bullseye: resolved (fixed in 0.45.6-1)
forky: resolved (fixed in 0.45.6-1)
sid: resolved (fixed in 0.45.6-
debian
CVE-2021-38084P3HIGHCVSS 8.1fixed in courier 1.3.13-1 (forky)2021
CVE-2021-38084 [HIGH] CVE-2021-38084: courier - An issue was discovered in the POP3 component of Courier Mail Server before 1.1....
An issue was discovered in the POP3 component of Courier Mail Server before 1.1.5. Meddler-in-the-middle attackers can pipeline commands after the POP3 STLS command, injecting plaintext commands into an encrypted user session.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 1.3.13-1)
sid: resolved (fixed in 1.3.13-1)
trixie: resolved (fixed in 1
debian
CVE-2004-0591P4MEDIUMCVSS 6.8PoCfixed in courier 0.45.4-4 (bookworm)2004
CVE-2004-0591 [MEDIUM] CVE-2004-0591: courier - Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqW...
Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqWebMail 4.0.4 and earlier, and possibly 3.x, allows remote attackers to inject arbitrary web script or HRML via (1) e-mail headers or (2) a message with a "message/delivery-status" MIME Content-Type.
Scope: local
bookworm: resolved (fixed in 0.45.4-4)
bullseye: resolved (fixed in 0.45.4-4
debian
CVE-2005-2769P4MEDIUMCVSS 4.3PoCfixed in courier 0.47-9 (bookworm)2005
CVE-2005-2769 [MEDIUM] CVE-2005-2769: courier - Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 and possibly other v...
Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 and possibly other versions allows remote attackers to inject arbitrary web script or HTML via an HTML e-mail containing tags with strings that contain ">" or other special characters, which is not properly sanitized by SqWebMail.
Scope: local
bookworm: resolved (fixed in 0.47-9)
bullseye: resolved (fixed i
debian
CVE-2004-0224P4HIGHCVSS 7.5fixed in courier 0.45.1-1 (bookworm)2004
CVE-2004-0224 [HIGH] CVE-2004-0224: courier - Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP ...
Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range."
Scope: local
bookworm: resolved (fixed in 0.45.1-1)
bullseye: resolved (fixed in 0.45.1-1)
forky: resolved (fixed in 0.45.1-1)
si
debian
CVE-2003-0040P4HIGHCVSS 7.5fixed in courier 0.40.2-3 (bookworm)2003
CVE-2003-0040 [HIGH] CVE-2003-0040: courier - SQL injection vulnerability in the PostgreSQL auth module for courier 0.40 and e...
SQL injection vulnerability in the PostgreSQL auth module for courier 0.40 and earlier allows remote attackers to execute SQL code via the user name.
Scope: local
bookworm: resolved (fixed in 0.40.2-3)
bullseye: resolved (fixed in 0.40.2-3)
forky: resolved (fixed in 0.40.2-3)
sid: resolved (fixed in 0.40.2-3)
trixie: resolved (fixed in 0.40.2-3)
debian
CVE-2005-3532P4MEDIUMCVSS 7.5fixed in courier 0.47-12 (bookworm)2005
CVE-2005-3532 [HIGH] CVE-2005-3532: courier - authpam.c in courier-authdaemon for Courier Mail Server 0.37.3 through 0.52.1, w...
authpam.c in courier-authdaemon for Courier Mail Server 0.37.3 through 0.52.1, when using pam_tally, does not call the pam_acct_mgmt function to verify that access should be granted, which allows attackers to authenticate to the server using accounts that have been disabled.
Scope: local
bookworm: resolved (fixed in 0.47-12)
bullseye: resolved (fixed in 0.47-12)
forky
debian
CVE-2006-2659P4HIGHCVSS 7.8fixed in courier 0.53.2-1 (bookworm)2006
CVE-2006-2659 [HIGH] CVE-2006-2659: courier - libs/comverp.c in Courier MTA before 0.53.2 allows attackers to cause a denial o...
libs/comverp.c in Courier MTA before 0.53.2 allows attackers to cause a denial of service (CPU consumption) via unknown vectors involving usernames that contain the "=" (equals) character, which is not properly handled during encoding.
Scope: local
bookworm: resolved (fixed in 0.53.2-1)
bullseye: resolved (fixed in 0.53.2-1)
forky: resolved (fixed in 0.53.2-1)
sid: re
debian
CVE-2004-2313P4LOWCVSS 5.0fixed in courier 0.44.2-1 (bookworm)2004
CVE-2004-2313 [MEDIUM] CVE-2004-2313: courier - Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for inco...
Inter7 SqWebMail 3.4.1 through 3.6.1 generates different error messages for incorrect passwords versus correct passwords on non-mail-enabled accounts (such as root), which allows remote attackers to guess the root password via brute force attacks.
Scope: local
bookworm: resolved (fixed in 0.44.2-1)
bullseye: resolved (fixed in 0.44.2-1)
forky: resolved (fixed in 0.4
debian
CVE-2005-2151P4LOWCVSS 5.0fixed in courier 0.47-6 (bookworm)2005
CVE-2005-2151 [MEDIUM] CVE-2005-2151: courier - spf.c in Courier Mail Server does not properly handle DNS failures when looking ...
spf.c in Courier Mail Server does not properly handle DNS failures when looking up Sender Policy Framework (SPF) records, which could allow attackers to cause memory corruption.
Scope: local
bookworm: resolved (fixed in 0.47-6)
bullseye: resolved (fixed in 0.47-6)
forky: resolved (fixed in 0.47-6)
sid: resolved (fixed in 0.47-6)
trixie: resolved (fixed in 0.47-6)
debian
CVE-2005-2724P4MEDIUMCVSS 4.3fixed in courier 0.47-8 (bookworm)2005
CVE-2005-2724 [MEDIUM] CVE-2005-2724: courier - Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attack...
Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attackers to inject arbitrary web script or HTML via a file attachment that is processed by the Display feature. NOTE: the severity of this issue has been disputed by the developer.
Scope: local
bookworm: resolved (fixed in 0.47-8)
bullseye: resolved (fixed in 0.47-8)
forky: resolved (fixed in
debian
CVE-2005-2820P4MEDIUMCVSS 4.3fixed in courier 0.47-9 (bookworm)2005
CVE-2005-2820 [MEDIUM] CVE-2005-2820: courier - Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attack...
Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attackers to inject arbitrary web script or HTML via an e-mail message containing Internet Explorer "Conditional Comments" such as "[if]" and "[endif]".
Scope: local
bookworm: resolved (fixed in 0.47-9)
bullseye: resolved (fixed in 0.47-9)
forky: resolved (fixed in 0.47-9)
sid: resolved (fixed
debian
CVE-2002-0914P4MEDIUMCVSS 5.0fixed in courier 0.46 (bookworm)2002
CVE-2002-0914 [MEDIUM] CVE-2002-0914: courier - Double Precision Courier e-mail MTA allows remote attackers to cause a denial of...
Double Precision Courier e-mail MTA allows remote attackers to cause a denial of service (CPU consumption) via a message with an extremely large or negative value for the year, which causes a tight loop.
Scope: local
bookworm: resolved (fixed in 0.46)
bullseye: resolved (fixed in 0.46)
forky: resolved (fixed in 0.46)
sid: resolved (fixed in 0.46)
trixie: resolved (f
debian
CVE-2002-1311P4MEDIUMCVSS 4.6fixed in courier 0.40.0-1 (bookworm)2002
CVE-2002-1311 [MEDIUM] CVE-2002-1311: courier - Courier sqwebmail before 0.40.0 does not quickly drop privileges after startup i...
Courier sqwebmail before 0.40.0 does not quickly drop privileges after startup in certain cases, which could allow local users to read arbitrary files.
Scope: local
bookworm: resolved (fixed in 0.40.0-1)
bullseye: resolved (fixed in 0.40.0-1)
forky: resolved (fixed in 0.40.0-1)
sid: resolved (fixed in 0.40.0-1)
trixie: resolved (fixed in 0.40.0-1)
debian