CAPEC-134

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Severity: Medium
Email Injection

Description

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

Prerequisites

The target application must allow the user to send email to some recipient, to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.

The adversary must have the ability to access the target mail application.