SQL injection vulnerability in the Courier Authentication Library (aka courier-authlib) before 0.60.6 on SUSE openSUSE 10.3 and 11.0, and other platforms, when MySQL and a non-Latin character set are used, allows remote attackers to execute arbitrary SQL commands via the username and unspecified other vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| courier-mta | courtier-authlib | 0.53 |
| courier-mta | courtier-authlib | 0.59 |
| courier-mta | courtier-authlib | 0.58 |
| courier-mta | courtier-authlib | 0.60.3 |
| courier-mta | courtier-authlib | 0.60.4 |
| courier-mta | courtier-authlib | 0.54 |
| courier-mta | courtier-authlib | 0.59.3 |
| courier-mta | courtier-authlib | 0.60.1 |
| courier-mta | courtier-authlib | 0.60.5 |
| courier-mta | courtier-authlib | 0.56 |
| courier-mta | courtier-authlib | 0.57 |
| courier-mta | courtier-authlib | 0.60 |
| courier-mta | courtier-authlib | 0.55 |
| courier-mta | courtier-authlib | 0.59.1 |
| courier-mta | courtier-authlib | 0.60.2 |
| courier-mta | courtier-authlib | 0.59.2 |
| courier-mta | courtier-authlib | 0.52 |
An issue was discovered in the POP3 component of Courier Mail Server before 1.1.5. Meddler-in-the-middle attackers can pipeline commands after the POP3 STLS command, injecting plaintext commands into an encrypted user session.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-74,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| courier-mta | courier_mail_server | * |