CVE-2007-2655

Unspecified vulnerability in NetWin Webmail 3.1s-1 in SurgeMail before 3.8i2 has unknown impact and remote attack vectors, possibly a format string vulnerability that allows remote code execution.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
Surgemail	Netwin	3.8f3 (including)	3.8f3 (including)
Surgemail	Netwin	3.8i (including)	3.8i (including)
Surgemail	Netwin	3.8i2 (including)	3.8i2 (including)
Webmail	Netwin	3.1s1 (including)	3.1s1 (including)
Webmail	Netwin	3.1s13 (including)	3.1s13 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://osvdb.org/35891
http://secunia.com/advisories/25207
http://www.netwinsite.com/surgemail/help/updates.htm
http://www.securityfocus.com/bid/23908
http://www.vupen.com/english/advisories/2007/1755
https://exchange.xforce.ibmcloud.com/vulnerabilities/34217
http://osvdb.org/35891
http://secunia.com/advisories/25207
http://www.netwinsite.com/surgemail/help/updates.htm
http://www.securityfocus.com/bid/23908
http://www.vupen.com/english/advisories/2007/1755
https://exchange.xforce.ibmcloud.com/vulnerabilities/34217

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-2655
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References