CVE-2011-1926

Name of the Vulnerable Software and Affected Versions Cyrus IMAP Server versions prior to 2.4.7

Description The issue is related to a "plaintext command injection" attack, where man-in-the-middle attackers can insert commands into encrypted sessions. This occurs because the STARTTLS implementation does not properly restrict I/O buffering, allowing attackers to send a cleartext command that is processed after TLS is in place.

Recommendations For versions prior to 2.4.7, update to version 2.4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and minimizing the use of cleartext commands in encrypted sessions until the update is applied.