HTTP Request Privilege Escalation in Cyrus IMAP 2.5.x and 3.x

HTTP Request Privilege Escalation in Cyrus IMAP 2.5.x and 3.x

CVE-2019-18928 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.

Learn more about our Web Application Penetration Testing UK.