Page 6 of 50 results (0.013 seconds)

CVSS: 5.8EPSS: 0%CPEs: 16EXPL: 0

Dovecot 2.0.x before 2.0.16, when ssl or starttls is enabled and hostname is used to define the proxy destination, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate for a different hostname. Dovecot v2.0.x antes de v2.0.16, cuando ssl o starttls está disponible y hostname se usa para definir la destinación del proxy, que no verifica que el servidor hostname busca el nombre del dominio en el sujeto del Common Name (CN) del certificado X.509, que permite ataques man-in-the middle para burlar los servidores SSL a través de un certificado para un hostname diferente. • http://hg.dovecot.org/dovecot-2.0/rev/5e9eaf63a6b1 http://rhn.redhat.com/errata/RHSA-2013-0520.html http://secunia.com/advisories/46886 http://secunia.com/advisories/52311 http://www.dovecot.org/list/dovecot-news/2011-November/000200.html http://www.openwall.com/lists/oss-security/2011/11/18/5 http://www.openwall.com/lists/oss-security/2011/11/18/7 https://bugs.gentoo.org/show_bug.cgi?id=390887 https://bugzilla.redhat.com/show_bug.cgi?id=754980 https:/&# • CWE-20: Improper Input Validation •

CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0

script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script. Las secuencias de comandos de inicio de sesión en Dovecot v2.0.x antes de v2.0.13 no sigue las opciones de configuración de chroot, lo que podría permitir a usuarios remotos autenticados realizar ataques de directorio transversal mediante el aprovechamiento de una secuencia de comandos. • http://dovecot.org/pipermail/dovecot/2011-May/059085.html http://openwall.com/lists/oss-security/2011/05/18/4 http://rhn.redhat.com/errata/RHSA-2013-0520.html http://secunia.com/advisories/52311 http://www.dovecot.org/doc/NEWS-2.0 http://www.securityfocus.com/bid/48003 https://exchange.xforce.ibmcloud.com/vulnerabilities/67674 https://access.redhat.com/security/cve/CVE-2011-2167 https://bugzilla.redhat.com/show_bug.cgi?id=709097 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 0

script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. La secuencia de comandos de inicio de sesión en Dovecot v2.0.x antes de v2.0.13 no sigue la configuración del usuario y grupo, lo que podría permitir a usuarios remotos autenticados eludir las restricciones de acceso destinados al aprovechar una secuencia de comandos. • http://dovecot.org/pipermail/dovecot/2011-May/059085.html http://openwall.com/lists/oss-security/2011/05/18/4 http://rhn.redhat.com/errata/RHSA-2013-0520.html http://secunia.com/advisories/52311 http://www.dovecot.org/doc/NEWS-2.0 http://www.securityfocus.com/bid/48003 https://exchange.xforce.ibmcloud.com/vulnerabilities/67675 https://access.redhat.com/security/cve/CVE-2011-2166 https://bugzilla.redhat.com/show_bug.cgi?id=709095 • CWE-16: Configuration •

CVSS: 3.5EPSS: 0%CPEs: 16EXPL: 0

Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.beta2 grants the admin permission to the owner of each mailbox in a non-public namespace, which might allow remote authenticated users to bypass intended access restrictions by changing the ACL of a mailbox, as demonstrated by a symlinked shared mailbox. Dovecot v1.2.x anterior a v1.2.15 y v2.0.x anterior a v2.0.beta2 proporciona permisos de administrador al propietario del cada buzón de correo en un espacio de nombres no público (non-public namespace), lo que podría permitir a usuarios autenticados remotamente evitar resctricciones de acceso intencionadas cambiando el ACL de un buzón de correo, tal y como se demostró con un buzón "symlinked shared" • http://secunia.com/advisories/43220 http://www.dovecot.org/list/dovecot/2010-October/053450.html http://www.dovecot.org/list/dovecot/2010-October/053452.html http://www.mandriva.com/security/advisories?name=MDVSA-2010:217 http://www.ubuntu.com/usn/USN-1059-1 http://www.vupen.com/english/advisories/2010/2840 http://www.vupen.com/english/advisories/2011/0301 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.0EPSS: 0%CPEs: 15EXPL: 0

Dovecot 1.2.x before 1.2.15 allows remote authenticated users to cause a denial of service (master process outage) by simultaneously disconnecting many (1) IMAP or (2) POP3 sessions. Dovecot v1.2.x anterior a v1.2.15 permite a usuarios autenticados remotamente provocar una denegación de servicio (interrupción del proceso maestro) mediante la desconexión simultanea de varias sesiones (1) IMAP o (2) POP3 • http://secunia.com/advisories/43220 http://www.dovecot.org/list/dovecot/2010-October/053450.html http://www.mandriva.com/security/advisories?name=MDVSA-2010:217 http://www.redhat.com/support/errata/RHSA-2011-0600.html http://www.ubuntu.com/usn/USN-1059-1 http://www.vupen.com/english/advisories/2010/2840 http://www.vupen.com/english/advisories/2011/0301 https://access.redhat.com/security/cve/CVE-2010-3780 https://bugzilla.redhat.com/show_bug.cgi?id=641276 •