Ricky Latt

**Name of the Vulnerable Software and Affected Versions** JavaMail API versions 1.1.3 through 1.3 **Description** The issue allows remote attackers to view other users' e-mail attachments via a direct request to "/mailboxesdir/username@domainname". This is related to the ReadMessage.jsp file in the JavaMail API. Note that Sun and Apache dispute this issue, with Sun stating that the report references non-existent source code and files in the mentioned products. **Recommendations** For JavaMail API versions 1.1.3 through 1.3, consider restricting access to the ReadMessage.jsp file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JavaMail API versions 1.1.3 through 1.3 **Description** The issue allows remote attackers to read arbitrary files via a full pathname in the argument to the `Download` parameter. It is worth noting that Sun and Apache dispute this issue, with Sun stating that the report references non-existent source code and files in the mentioned products. **Recommendations** For JavaMail API versions 1.1.3 through 1.3, as a temporary workaround, consider restricting access to the `Download` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JavaMail API (affected versions not specified) **Description** The issue concerns the JavaMail API, which does not properly validate the message number in the MimeMessage constructor in javax.mail.internet.InternetHeaders. This allows remote authenticated users to read other users' e-mail messages by modifying the `msgno` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.