CVE-2015-9097
https://notcve.org/view.php?id=CVE-2015-9097
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. La mail gem versiones anteriores a 2.5.5 para Ruby (también conocida como A Really Ruby Mail Library) es vulnerable a inyección de comandos SMTP mediante secuencias CRLF con el comando RCPT TO o MAIL FROM, como lo demuestran las secuencias CRLF inmediatamente antes y después de una subcadena DATA. • http://openwall.com/lists/oss-security/2015/12/11/3 http://www.mbsd.jp/Whitepaper/smtpi.pdf https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83 https://github.com/mikel/mail/pull/1097 https://github.com/rubysec/ruby-advisory-db/issues/215 https://hackerone.com/reports/137631 https://rubysec.com/advisories/mail-OSVDB-131677 • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') •
CVE-2016-4879
https://notcve.org/view.php?id=CVE-2016-4879
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Mail para baserCMS en versiones 3.0.10 y anteriores, que permitiría a atacantes remotos secuestrar la autenticación de los administradores a través de vectores no especificados. • http://basercms.net/security/JVN92765814 http://www.securityfocus.com/bid/93217 https://jvn.jp/en/jp/JVN92765814/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2011-0739
https://notcve.org/view.php?id=CVE-2011-0739
The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address. La función de entrega en el agente de entrega de sendmail (lib/mail/network/delivery_methods/sendmail.rb)para Ruby Mail gem v2.2.14 y anteriores permite a atacantes remotos ejecutar comandos arbitrarios a través de metacaracteres cubiertos en una dirección de correo electrónico. • http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1 http://osvdb.org/70667 http://secunia.com/advisories/43077 http://www.securityfocus.com/bid/46021 http://www.vupen.com/english/advisories/2011/0233 https://exchange.xforce.ibmcloud.com/vulnerabilities/65010 https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch • CWE-20: Improper Input Validation •