Alexander Van Eee

**Name of the Vulnerable Software and Affected Versions** OpenVAS Manager versions 1.0.x through 1.0.3 OpenVAS Manager versions 2.0.x through 2.0rc2 **Description** The issue allows remote authenticated users to execute arbitrary commands via the `To` or `From` e-mail address in an OMP request to the Greenbone Security Assistant (GSA). This is due to a problem in the email function in manage sql.c. **Recommendations** For OpenVAS Manager versions 1.0.x through 1.0.3, consider disabling the email function in manage sql.c until a patch is available. For OpenVAS Manager versions 2.0.x through 2.0rc2, restrict access to the email function in manage sql.c to minimize the risk of exploitation. As a temporary workaround, avoid using the `To` and `From` e-mail address fields in OMP requests to the GSA until the issue is resolved.