CVE-2002-1385 - Vulnerability Details - OpenCVE

openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Key SSVC decision points have not yet been added.

Vendors	Products
Open Webmail Subscribe	Open Webmail Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:open_webmail:open_webmail:1.7:::::::*
	cpe:2.3:a:open_webmail:open_webmail:1.8:::::::*
	cpe:2.3:a:open_webmail:open_webmail:1.71:::::::*
	cpe:2.3:a:open_webmail:open_webmail:1.81:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2002-1369	openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://marc.info/?l=bugtraq&m=104031696120743&w=2
http://marc.info/?l=bugtraq&m=104032263328026&w=2
http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435
http://www.securityfocus.com/bid/6425
https://exchange.xforce.ibmcloud.com/vulnerabilities/10904

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2004-09-01T04:00:00

Updated: 2024-08-08T03:19:28.608Z

Reserved: 2002-12-19T00:00:00

Link: CVE-2002-1385

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2002-12-26T05:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2002-1385

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

NVD-CWE-Other

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2002-12-18T00:00:00", "descriptions": [{"lang": "en", "value": "openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-18T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "6425", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/6425"}, {"name": "20021219 [Fix] Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"name": "20021218 Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"name": "open-webmail-command-execution(10904)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2002-1385", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "6425", "refsource": "BID", "url": "http://www.securityfocus.com/bid/6425"}, {"name": "20021219 [Fix] Openwebmail 1.71 remote root compromise", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"name": "20021218 Openwebmail 1.71 remote root compromise", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"name": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435", "refsource": "CONFIRM", "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"name": "open-webmail-command-execution(10904)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T03:19:28.608Z"}, "title": "CVE Program Container", "references": [{"name": "6425", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/6425"}, {"name": "20021219 [Fix] Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"name": "20021218 Openwebmail 1.71 remote root compromise", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"name": "open-webmail-command-execution(10904)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2002-1385", "datePublished": "2004-09-01T04:00:00", "dateReserved": "2002-12-19T00:00:00", "dateUpdated": "2024-08-08T03:19:28.608Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.7:*:*:*:*:*:*:*", "matchCriteriaId": "9B94ECAA-1148-4A84-93B4-56B56A0938AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.8:*:*:*:*:*:*:*", "matchCriteriaId": "DA86C04C-D31E-4B0B-A8E0-13A5FED7644E", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.71:*:*:*:*:*:*:*", "matchCriteriaId": "62736A5C-7E68-4E47-9954-D62C913E3AF7", "vulnerable": true}, {"criteria": "cpe:2.3:a:open_webmail:open_webmail:1.81:*:*:*:*:*:*:*", "matchCriteriaId": "02D1462D-CC70-41CC-BAF4-48CD0ECAFD4A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed."}, {"lang": "es", "value": "openwebmail_init en Open WebMail 1.81 y anteriores permiten a usuarios locales ejecutar c\u00f3digo arbitrario mediante secuencias .. (punto punto) en un nombre de inicio de sesi\u00f3n, como el nombre suministrado en el par\u00e1metro sessionid de openwebmail-abook.pl, que es usado para encontrar un fichero de configuraci\u00f3n que especifica c\u00f3digo adicional para ser ejecutado."}], "id": "CVE-2002-1385", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": true, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2002-12-26T05:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/6425"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=104031696120743&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=104032263328026&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/6425"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/10904"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}