CVE-2002-0490

Instant Web Mail before 0.60 does not properly filter CR/LF sequences, which allows remote attackers to (1) execute arbitrary POP commands via the id parameter in message.php, or (2) modify certain mail message headers via numerous parameters in write.php.

Published: Aug 12, 2002
Updated: Apr 13, 2023
CVE: CVE-2002-0490
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
instant_web_mail / instant_web_mail	0.59	0.59.x
instant_web_mail / instant_web_mail	0.56	0.56.x
instant_web_mail / instant_web_mail	0.55	0.55.x
instant_web_mail / instant_web_mail	0.58	0.58.x
instant_web_mail / instant_web_mail	0.57	0.57.x

http://instantwebmail.sourceforge.net/#changeLog
http://www.iss.net/security_center/static/8650.php
http://www.securityfocus.com/archive/1/264041
http://www.securityfocus.com/bid/4361

Vulnerability Database

CVE-2002-0490