openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.

Related CVEs

CVE-2002-1385

Key Information

GHSA ID

GHSA-r6hq-58j4-9342

Published

April 30, 2022 6:21 PM

Last Modified

April 30, 2022 6:21 PM

CVSS Score

7.5 /10

Primary Ecosystem

Unknown

Primary Package

Unknown

GitHub Reviewed

✗ No

Dataset

Last updated: June 28, 2025 6:27 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.