CVE-2008-6984

Plesk 8.6.0, when short mail login names (SHORTNAMES) are enabled, allows remote attackers to bypass authentication and send spam e-mail via a message with (1) a base64-encoded username that begins with a valid shortname, or (2) a username that matches a valid password, as demonstrated using (a) SMTP and qmail, and (b) Courier IMAP and POP3.

CVSS v2.0 5.8 MEDIUM

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:N

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.osvdb.org/51652
http://www.securityfocus.com/archive/1/495881	Exploit
http://www.securityfocus.com/bid/30956
http://www.securitytracker.com/id?1020801
https://exchange.xforce.ibmcloud.com/vulnerabilities/44856

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parallels:plesk:8.6.0:-:linux\/unix:::::*
	cpe:2.3:a:parallels:plesk:8.6.0:-:windows:::::*

History

No history.

Information

Published : 2009-08-19 05:24

Updated : 2023-12-10 10:51

NVD link : CVE-2008-6984

Mitre link : CVE-2008-6984

CVE.ORG link : CVE-2008-6984

JSON object : View

Products Affected

parallels

plesk

CWE

CWE-287

Improper Authentication

{"id": "CVE-2008-6984", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2009-08-19T05:24:52.420", "references": [{"url": "http://www.osvdb.org/51652", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/495881", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/30956", "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id?1020801", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44856", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "Plesk 8.6.0, when short mail login names (SHORTNAMES) are enabled, allows remote attackers to bypass authentication and send spam e-mail via a message with (1) a base64-encoded username that begins with a valid shortname, or (2) a username that matches a valid password, as demonstrated using (a) SMTP and qmail, and (b) Courier IMAP and POP3."}, {"lang": "es", "value": "Plesk v8.6.0, cunado la ordenaci\u00f3n de nombres de login est\u00e1 activada, permite a atacantes remotos saltarse la autenticaci\u00f3n y enviar correo electr\u00f3nico spam a trav\u00e9s de un mensaje con (1) un nombre de usuario codificado base64 que comienze con un shortname v\u00e1lido, o (2) un nombre de usuario que coincida con una contrase\u00f1a v\u00e1lida, como se demostr\u00f3 utilizando (a) SMTP y qmail, y (b) Courier IMAP y POP3."}], "lastModified": "2017-08-17T01:29:43.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:parallels:plesk:8.6.0:-:linux\\/unix:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB07B3E7-2A3B-4E39-8502-72F0E130F9FE"}, {"criteria": "cpe:2.3:a:parallels:plesk:8.6.0:-:windows:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "893022B3-8E65-4BB8-9215-D10955B57B2F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}