Vulnerability Details CVE-2021-37845
An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command (a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595). This potentially allows an attacker to cause a victim's e-mail messages to be stored into an attacker's IMAP mailbox, but depends on details of the victim's client behavior.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.0%
CVSS Severity
CVSS v3 Score 3.7
References
Products affected by CVE-2021-37845
-
cpe:2.3:a:citadel:webcit:-
-
cpe:2.3:a:citadel:webcit:7.10
-
cpe:2.3:a:citadel:webcit:7.86
-
cpe:2.3:a:citadel:webcit:7.87
-
cpe:2.3:a:citadel:webcit:8.01
-
cpe:2.3:a:citadel:webcit:8.02
-
cpe:2.3:a:citadel:webcit:8.03
-
cpe:2.3:a:citadel:webcit:8.05
-
cpe:2.3:a:citadel:webcit:8.06
-
cpe:2.3:a:citadel:webcit:8.12
-
cpe:2.3:a:citadel:webcit:8.13
-
cpe:2.3:a:citadel:webcit:8.14
-
cpe:2.3:a:citadel:webcit:8.16
-
cpe:2.3:a:citadel:webcit:8.20
-
cpe:2.3:a:citadel:webcit:8.22
-
cpe:2.3:a:citadel:webcit:8.23
-
cpe:2.3:a:citadel:webcit:8.24
-
cpe:2.3:a:citadel:webcit:9.01
-
cpe:2.3:a:citadel:webcit:902
-
cpe:2.3:a:citadel:webcit:926