CVE-2002-1385 - OpenCVE

openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Open Webmail	Open Webmail

Configuration 1 [-]

OR	cpe:2.3:a:open_webmail:open_webmail:1.7:::::::*
	cpe:2.3:a:open_webmail:open_webmail:1.8:::::::*
	cpe:2.3:a:open_webmail:open_webmail:1.71:::::::*
	cpe:2.3:a:open_webmail:open_webmail:1.81:::::::*

No data.

References

Link	Providers
http://marc.info/?l=bugtraq&m=104031696120743&w=2
http://marc.info/?l=bugtraq&m=104032263328026&w=2
http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435
http://www.securityfocus.com/bid/6425
https://exchange.xforce.ibmcloud.com/vulnerabilities/10904

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2004-09-01T04:00:00

Updated: 2024-08-08T03:19:28.608Z

Reserved: 2002-12-19T00:00:00

Link: CVE-2002-1385

Vulnrichment

No data.

NVD

Status : Modified

Published: 2002-12-26T05:00:00.000

Modified: 2017-10-10T01:30:12.173

Link: CVE-2002-1385

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2002-12-18T00:00:00", "descriptions": [{"lang": "en", "value": "openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-18T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "6425", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/6425"}, {"name": "20021219 [Fix] Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"name": "20021218 Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"name": "open-webmail-command-execution(10904)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2002-1385", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "6425", "refsource": "BID", "url": "http://www.securityfocus.com/bid/6425"}, {"name": "20021219 [Fix] Openwebmail 1.71 remote root compromise", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"name": "20021218 Openwebmail 1.71 remote root compromise", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"name": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435", "refsource": "CONFIRM", "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"name": "open-webmail-command-execution(10904)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T03:19:28.608Z"}, "title": "CVE Program Container", "references": [{"name": "6425", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/6425"}, {"name": "20021219 [Fix] Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"name": "20021218 Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"name": "open-webmail-command-execution(10904)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2002-1385", "datePublished": "2004-09-01T04:00:00", "dateReserved": "2002-12-19T00:00:00", "dateUpdated": "2024-08-08T03:19:28.608Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.7:*:*:*:*:*:*:*", "matchCriteriaId": "9B94ECAA-1148-4A84-93B4-56B56A0938AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.8:*:*:*:*:*:*:*", "matchCriteriaId": "DA86C04C-D31E-4B0B-A8E0-13A5FED7644E", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.71:*:*:*:*:*:*:*", "matchCriteriaId": "62736A5C-7E68-4E47-9954-D62C913E3AF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.81:*:*:*:*:*:*:*", "matchCriteriaId": "02D1462D-CC70-41CC-BAF4-48CD0ECAFD4A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed."}, {"lang": "es", "value": "openwebmail_init en Open WebMail 1.81 y anteriores permiten a usuarios locales ejecutar c\u00f3digo arbitrario mediante secuencias .. (punto punto) en un nombre de inicio de sesi\u00f3n, como el nombre suministrado en el par\u00e1metro sessionid de openwebmail-abook.pl, que es usado para encontrar un fichero de configuraci\u00f3n que especifica c\u00f3digo adicional para ser ejecutado."}], "id": "CVE-2002-1385", "lastModified": "2017-10-10T01:30:12.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2002-12-26T05:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/6425"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}