Vulnerabilities > CVE-2021-37845 - Unspecified vulnerability in Citadel Webcit

CVSS 3.7 - LOW

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

high complexity

citadel

NVD

Published: 2023-05-29

Updated: 2023-06-05

Summary

An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command (a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595). This potentially allows an attacker to cause a victim's e-mail messages to be stored into an attacker's IMAP mailbox, but depends on details of the victim's client behavior.

Vulnerable Configurations

Part	Description	Count
Application	Citadel Citadel Webcit - Citadel Webcit 7.10 Citadel Webcit 7.86 Citadel Webcit 7.87 Citadel Webcit 8.01 Citadel Webcit 8.02 Citadel Webcit 8.03 Citadel Webcit 8.05 Citadel Webcit 8.06 Citadel Webcit 8.12 Citadel Webcit 8.13 Citadel Webcit 8.14 Citadel Webcit 8.16 Citadel Webcit 8.20 Citadel Webcit 8.22 Citadel Webcit 8.23 Citadel Webcit 8.24 Citadel Webcit 9.01 Citadel Webcit 902 Citadel Webcit 926	20

Summary

Vulnerable Configurations

References