CVE-2004-2677

critical

Description

Format string vulnerability in qwik-smtpd.c in QwikMail SMTP (qwik-smtpd) 0.3 and earlier allows remote attackers to execute arbitrary code via format specifiers in the (1) clientRcptTo array, and the (2) Received and (3) messageID variables, possibly involving HELO and hostname arguments.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/17917

http://www.vupen.com/english/advisories/2007/0687

http://www.securityfocus.com/archive/1/460600/100/0/threaded

http://unl0ck.info/advisories/qwik-smtpd.txt

http://securitytracker.com/id?1012016

http://secunia.com/advisories/13037

http://qwikmail.sourceforge.net/smtpd/qwik-smtpd-0.3.patch

Details

Source: Mitre, NVD

Published: 2004-12-31

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.06436