Show filters
2 Total Results
Displaying 1-2 of 2
Sort by:
Attacker Value
Very High

CVE-2020-7247

Disclosure Date: January 29, 2020 (last updated November 08, 2023)
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Attacker Value
Unknown

CVE-2020-8794

Disclosure Date: February 25, 2020 (last updated November 08, 2023)
OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client code during bounce handling.