Fluid Attacks Database

Description

The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	spamass-milter	>=0 <0.3.1-9	0.3.1-9
debian 12	spamass-milter	>=0 <0.3.1-9	0.3.1-9
debian 13	spamass-milter	>=0 <0.3.1-9	0.3.1-9
debian 14	spamass-milter	>=0 <0.3.1-9	0.3.1-9

Aliases

1. CVE-2010-11322. NVD-2010-11323. OSV-DEBIAN-2010-11324. OSV-2010-11325. SECURITY-TRACKER-CVE-2010-1132

References

1. https://www.exploit-db.com/exploits/11662

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.