CVE-2021-37845
First published: Mon May 29 2023(Updated: )
An issue was discovered in Citadel through webcit-932. A meddler-in-the-middle attacker can fixate their own session during the cleartext phase before a STARTTLS command (a violation of "The STARTTLS command is only valid in non-authenticated state." in RFC2595). This potentially allows an attacker to cause a victim's e-mail messages to be stored into an attacker's IMAP mailbox, but depends on details of the victim's client behavior.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Citadel WebCit | <=932 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-37845.
What is the severity level of CVE-2021-37845?
The severity level of CVE-2021-37845 is low with a score of 3.7.
What software is affected by CVE-2021-37845?
The Citadel WebCit software up to version 932 is affected by CVE-2021-37845.
What is the impact of CVE-2021-37845?
CVE-2021-37845 allows a meddler-in-the-middle attacker to fixate their own session, potentially compromising the security of the system.
Are there any references available for CVE-2021-37845?
Yes, you can find references for CVE-2021-37845 at the following links: [1](http://uncensored.citadel.org/dotgoto?room=Citadel%20Security), [2](https://nostarttls.secvuln.info/), [3](https://uncensored.citadel.org/msg/2099264259).
- collector/nvd-latest
- collector/nvd-index
- agent/severity
- agent/description
- agent/author
- agent/event
- agent/type
- agent/references
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/citadel
- canonical/citadel webcit
- version/citadel webcit/932