cgiemail and cgiecho Multiple Security Vulnerabilities (CVE-2017-5613)

2017-04-21T00:00:00
ID SSV:92980
Type seebug
Reporter Root
Modified 2017-04-21T00:00:00

Description

> [] SEC-212 Format string injection > > The ability to supply arbitrary format strings to cgiemail and > cgiecho allowed code execution whenever a user was able to provide a > cgiemail template file.

Use CVE-2017-5613.

> [] SEC-214 Open redirect > > The cgiemail and cgiecho binaries served as an open redirect due to > their handling of the success and failure parameters.

Use CVE-2017-5614.

> [] SEC-215 HTTP header injection > > The handling of redirects in cgiemail and cgiecho did not protect > against the injection of additional HTTP headers.

Use CVE-2017-5615.

> [] Reflected XSS vulnerability > > The "addendum" parameter was reflected without any escaping in > success and error messages produced by cgiemail and cgiecho.

Use CVE-2017-5616.