User controlled parameters related to SMTP notifications are not correctly validated. Sensitive information can be redirected to an attacker-controlled address.Ī user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the Carriage Return and Line Feed (CRLF) control characters and include arbitrary SMTP headers in the generated test email.Ī user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass blocked network recipients. The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. This vulnerability affects Thunderbird sequences and then inject arbitrary SMTP commands. If an unprotected authentication method was configured, the MITM could obtain the authentication credentials, too. A MITM could perform a downgrade attack to intercept transmitted messages, or could take control of the authenticated session to execute SMTP commands chosen by the MITM. Thunderbird ignored the configuration to require STARTTLS security for an SMTP connection. This test function can be used to identify the listening TCP ports available to the server, revealing information about the internal network environment. The installation configuration user interface available to administrators allows testing the configured SMTP server settings.
In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test. ĭatalust (aka seq-app-htmlemail) 3.1.8, 3.1.0, and 3.1.6 can use cleartext SMTP on port 25 in some cases where encryption on port 465 was intended. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property to true.
The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers.
#MDAEMON MAIL SERVER AUTHENTICATION FROM SECURITY GATEWAY FULL#
In case the tenant has an smtp credential set, the full credential information is disclosed.Īpache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. The correct exploitation of this vulnerability causes sensitive information exposure. The vulnerability allows an unauthenticated attacker to use an api endpoint to generate a temporary JWT token that is designed to reference the correct tenant prior to authentication, to request system configuration parameters using direct api requests. A broken access control vulnerability has been found while using a temporary generated token in order to consume api resources. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect Access Control.