6 results (0.014 seconds)

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1

sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because sendmail supports <LF>.<CR><LF> but some other popular e-mail servers do not. This is resolved in 8.18 and later versions with 'o' in srv_features. sendmail hasta al menos 8.14.7 permite el contrabando SMTP en ciertas configuraciones. • http://www.openwall.com/lists/oss-security/2023/12/24/1 http://www.openwall.com/lists/oss-security/2023/12/25/1 http://www.openwall.com/lists/oss-security/2023/12/26/5 http://www.openwall.com/lists/oss-security/2023/12/29/5 http://www.openwall.com/lists/oss-security/2023/12/30/1 http://www.openwall.com/lists/oss-security/2023/12/30/3 https://access.redhat.com/security/cve/CVE-2023-51765 https://bugzilla.redhat.com/show_bug.cgi?id=2255869 ht • CWE-345: Insufficient Verification of Data Authenticity •

CVSS: 4.3EPSS: 1%CPEs: 2EXPL: 0

The version of Sendmail 8.13.1-2 on Red Hat Enterprise Linux 4 Update 4 and earlier does not reject the "localhost.localdomain" domain name for e-mail messages that come from external hosts, which might allow remote attackers to spoof messages. La versión de Sendmail 8.13.1-2 en Red Hat Enterprise Linux 4 Update 4 y anteriores no rechazan el nombre de dominio "localhost.localdomain" para mensajes de correo electrónico que provienen de estaciones externas, lo cual podría permitir a atacantes remotos falsificar mensajes. • http://secunia.com/advisories/25098 http://secunia.com/advisories/25743 http://support.avaya.com/elmodocs2/security/ASA-2007-248.htm http://www.redhat.com/support/errata/RHSA-2007-0252.html http://www.securityfocus.com/bid/23742 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171838 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11499 https://access.redhat.com/security/cve/CVE-2006-7176 https://bugzilla.redhat.com/show_bug.cgi?id=23854 •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

The version of Sendmail 8.13.1-2 on Red Hat Enterprise Linux 4 Update 4 and earlier does not allow the administrator to disable SSLv2 encryption, which could cause less secure channels to be used than desired. La version de Sendmail 8.13.1-2 en Red Hat Enterprise Linux 4 Update 4 y anteriores no permiten al administrador deshabilitar la encriptación SSLv2, lo cual podría provocar que se pudieran usar canales menos seguros de lo deseado. • https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=172352 •

CVSS: 5.0EPSS: 12%CPEs: 26EXPL: 0

The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. • ftp://patches.sgi.com/support/free/security/advisories/20030803-01-P http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000727 http://www.kb.cert.org/vuls/id/993452 http://www.mandriva.com/security/advisories?name=MDKSA-2003:086 http://www.novell.com/linux/security/advisories/2003_035_sendmail.html http://www.redhat.com/support/errata/RHSA-2003-265.html http://www.sendmail.org/dnsmap1.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef •

CVSS: 7.2EPSS: 0%CPEs: 14EXPL: 1

Local users can start Sendmail in daemon mode and gain root privileges. • https://www.exploit-db.com/exploits/19556 http://www.securityfocus.com/bid/716 •