Sign-up

ID

VAR-200110-0112


CVE

CVE-2001-1286


TITLE

Ipswitch IMail User Mailbox Disclosure Vulnerability

Trust: 0.9

sources: BID: 3432 // CNNVD: CNNVD-200110-044

DESCRIPTION

Ipswitch IMail 7.04 and earlier stores a user's session ID in a URL, which could allow remote attackers to hijack sessions by obtaining the URL, e.g. via an HTML email that causes the Referrer to be sent to a URL under the attacker's control. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP etc. A vulnerability exists in IMail which could enable an authenticated user to view the mailbox of another IMail user. This accomplished using directory traversal techniques while logged into the server with a valid session ID

Trust: 1.26

sources: NVD: CVE-2001-1286 // BID: 3432 // VULHUB: VHN-4091

AFFECTED PRODUCTS

vendor:ipswitchmodel:imailscope:eqversion:7.0.4

Trust: 1.9

vendor:ipswitchmodel:imailscope:eqversion:6.0.6

Trust: 1.6

vendor:ipswitchmodel:imailscope:eqversion:6.0.2

Trust: 1.6

sources: BID: 3432 // CNNVD: CNNVD-200110-044 // NVD: CVE-2001-1286

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2001-1286
value: HIGH

Trust: 1.0

CNNVD: CNNVD-200110-044
value: HIGH

Trust: 0.6

VULHUB: VHN-4091
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2001-1286
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-4091
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-4091 // CNNVD: CNNVD-200110-044 // NVD: CVE-2001-1286

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2001-1286

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200110-044

TYPE

access verification error

Trust: 0.6

sources: CNNVD: CNNVD-200110-044

EXTERNAL IDS

db:NVDid:CVE-2001-1286

Trust: 2.0

db:BIDid:3432

Trust: 2.0

db:CNNVDid:CNNVD-200110-044

Trust: 0.7

db:BUGTRAQid:20020310 IMAIL ACCOUNT HIJACK THROUGH THE WEB INTERFACE

Trust: 0.6

db:BUGTRAQid:20011011 IPSWITCH IMAIL 7.04 VULNERABILITIES

Trust: 0.6

db:VULHUBid:VHN-4091

Trust: 0.1

sources: VULHUB: VHN-4091 // BID: 3432 // CNNVD: CNNVD-200110-044 // NVD: CVE-2001-1286

REFERENCES

url:http://www.securityfocus.com/bid/3432

Trust: 1.7

url:http://archives.neohapsis.com/archives/bugtraq/2001-10/0082.html

Trust: 1.7

url:http://online.securityfocus.com/archive/1/261096

Trust: 1.7

url:http://www.ipswitch.com/support/imail/news.html

Trust: 1.7

url:http://www.ipswitch.com/products/imail_server/index.html

Trust: 0.3

sources: VULHUB: VHN-4091 // BID: 3432 // CNNVD: CNNVD-200110-044 // NVD: CVE-2001-1286

CREDITS

Posted to Bugtraq by Niels Heinen <zilli0n@gmx.net> on Oct 12, 2001.

Trust: 0.9

sources: BID: 3432 // CNNVD: CNNVD-200110-044

SOURCES

db:VULHUBid:VHN-4091
db:BIDid:3432
db:CNNVDid:CNNVD-200110-044
db:NVDid:CVE-2001-1286

LAST UPDATE DATE

2025-04-03T22:25:22.972000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-4091date:2008-09-10T00:00:00
db:BIDid:3432date:2009-07-11T09:06:00
db:CNNVDid:CNNVD-200110-044date:2005-10-20T00:00:00
db:NVDid:CVE-2001-1286date:2025-04-03T01:03:51.193

SOURCES RELEASE DATE

db:VULHUBid:VHN-4091date:2001-10-12T00:00:00
db:BIDid:3432date:2001-10-12T00:00:00
db:CNNVDid:CNNVD-200110-044date:2001-10-12T00:00:00
db:NVDid:CVE-2001-1286date:2001-10-12T04:00:00