CVSS: 9.0EPSS: 3%CPEs: 5EXPL: 0CVE-2019-19920 – Ubuntu Security Notice USN-4520-1
https://notcve.org/view.php?id=CVE-2019-19920
22 Dec 2019 — sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805. sa-exim versión 4.2.1, permite a atacantes ejecutar código arbitrario si pueden escribir un archivo .cf o una regla. Esto se presenta porque el archivo Greylisting.pm se basa en eval (en lugar de análisis directo y/o uso de la funcionalidad taint). Este problema... • https://bugs.debian.org/946829#24 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2006-1251
https://notcve.org/view.php?id=CVE-2006-1251
19 Mar 2006 — Argument injection vulnerability in greylistclean.cron in sa-exim 4.2 allows remote attackers to delete arbitrary files via an email with a To field that contains a filename separated by whitespace, which is not quoted when greylistclean.cron provides the argument to the rm command. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345071 • CWE-94: Improper Control of Generation of Code ('Code Injection') •