QwikSec

Security Database

CVE

CWE

Training

CVE-2019-19783

Published: Dec 16, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html

x_refsource_MISC

https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html

x_refsource_MISC

20191219 [SECURITY] [DSA 4590-1] cyrus-imapd security update

mailing-list

x_refsource_BUGTRAQ

vendor-advisory

x_refsource_DEBIAN

FEDORA-2019-7938c21723

vendor-advisory

x_refsource_FEDORA

FEDORA-2019-ad23a4522d

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_GENTOO

vendor-advisory

x_refsource_UBUNTU

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.