SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Spamassassin | Apache | 3.1.0 (including) | 3.1.0 (including) |
Spamassassin | Apache | 3.1.1 (including) | 3.1.1 (including) |
Spamassassin | Apache | 3.1.2 (including) | 3.1.2 (including) |