CVE-2020-29547

Name of the Vulnerable Software and Affected Versions Citadel through webcit-926

Description An issue allows meddler-in-the-middle attackers to pipeline commands after POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands, injecting cleartext commands into an encrypted user session. This can lead to credential disclosure.

Recommendations For Citadel through webcit-926, consider disabling the use of POP3 STLS, IMAP STARTTLS, or SMTP STARTTLS commands until a patch is available to prevent cleartext command injection. Restrict access to sensitive user sessions to minimize the risk of credential disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.