CVE-2009-1469

Name of the Vulnerable Software and Affected Versions IceWarp eMail Server and WebMail Server versions prior to 9.4.2

Description The issue allows remote attackers to trick a user into disclosing credentials via CRLF sequences preceding a Reply-To header in the subject element of an XML document. This can be achieved by triggering an e-mail message from the server that contains a user's correct credentials and requests that the user compose a reply that includes this message.

Recommendations For versions prior to 9.4.2, update to version 9.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Forgot Password implementation in server/webmail.php to minimize the risk of exploitation.