Vulnerability Description
Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Outlook | 97 |
| Microsoft | Outlook Express | 4.0 |
References
- http://support.microsoft.com/default.aspx?scid=kb%3BEN-US%3Bq234241
- http://www.securityfocus.com/archive/1/188752ExploitVendor Advisory
- http://www.securityfocus.com/bid/2823ExploitVendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6655
- http://support.microsoft.com/default.aspx?scid=kb%3BEN-US%3Bq234241
- http://www.securityfocus.com/archive/1/188752ExploitVendor Advisory
- http://www.securityfocus.com/bid/2823ExploitVendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6655
FAQ
What is CVE-2001-1088?
CVE-2001-1088 is a vulnerability with a CVSS score of 7.5 (HIGH). Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" addre...
How severe is CVE-2001-1088?
CVE-2001-1088 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2001-1088?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Outlook, Microsoft Outlook Express.