Murgi

**Name of the Vulnerable Software and Affected Versions** Citadel through webcit-926 **Description** An issue allows meddler-in-the-middle attackers to pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure. **Recommendations** For Citadel through webcit-926, consider disabling the use of POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands until a patch is available to prevent cleartext command injection. Restrict access to sensitive user sessions to minimize the risk of credential disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.