MailEnable Enterprise 1.04 and prior and MailEnable Professional 1.54 and prior contain two security issues that allows a remote attacker to create a denial of service (DoS) condition or execute arbitrary code.
The first issue (CAN-2005-1781) only affects the SMTP service and exists due to an error in the SMTP authentication procedure. Details of the issue are unavailable, but a remote attacker could exploit this issue to crash the SMTP service, resulting in a DoS condition.
The second issue affects the IMAP service and exists due to insufficient bounds checking while handling user-supplied input to the STATUS command. A remote authenticated attacker can exploit this issue by supplying
the STATUS command with a long mailbox name. The long name triggers a stack-based buffer overflow and may allow the attacker to execute arbitrary code with SYSTEM privileges. Exploit code is publicly available which may increase the risk of an attack.
Updates are available.