CVE-2021-37845

Name of the Vulnerable Software and Affected Versions Citadel through webcit-932

Description An issue was discovered that allows a meddler-in-the-middle attacker to fixate their own session during the cleartext phase before a STARTTLS command, violating the RFC2595 standard. This potentially enables an attacker to cause a victim's e-mail messages to be stored into the attacker's IMAP mailbox, depending on the victim's client behavior.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.