Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2001-1088

Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user.

Published

2001-06-05T04:00:00.000

Last Modified

2025-04-03T01:03:51.193

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

6.4

Weaknesses
  • Type: Primary
    NVD-CWE-Other
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application microsoft outlook 97 Yes
Application microsoft outlook 98 Yes
Application microsoft outlook 2000 Yes
Application microsoft outlook_express 4.0 Yes
Application microsoft outlook_express 4.5 Yes
Application microsoft outlook_express 4.27.3110 Yes
Application microsoft outlook_express 4.72.2106 Yes
Application microsoft outlook_express 4.72.3120.0 Yes
Application microsoft outlook_express 4.72.3612 Yes
Application microsoft outlook_express 5.0 Yes
Application microsoft outlook_express 5.5 Yes
References