Bypassing SPF and DMARC Authentication via Inconsistent HELO and MAIL FROM Fields in OpenDMARC and pypolicyd-spf

Bypassing SPF and DMARC Authentication via Inconsistent HELO and MAIL FROM Fields in OpenDMARC and pypolicyd-spf

CVE-2019-20790 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.

Learn more about our Web Application Penetration Testing UK.