6.5
CVE-2020-37248
- EPSS 0.19%
- Veröffentlicht 08.06.2026 15:05:09
- Zuletzt bearbeitet 09.06.2026 13:57:49
- CVE-Watchlists
- Unerledigt
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerOfflineIMAP
≫
Produkt
OfflineIMAP
Default Statusunaffected
Version
0
Version <
8.0.3
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.082 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cve@mitre.org | 6.5 | 2.2 | 4.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
|
CWE-348 Use of Less Trusted Source
The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack.
https://github.com/OfflineIMAP/offlineimap3/commit/46505c53ef995455d66c685f9ec3ff6ea93dbb74
https://github.com/OfflineIMAP/offlineimap3/issues/222
https://github.com/OfflineIMAP/offlineimap/issues/669
https://pypi.org/project/offlineimap/#history
http://www.openwall.com/lists/oss-security/2026/06/08/3