Description
Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user.
Exploits (1)
References (4)
Core 4
Core References
Exploit, Vendor Advisory mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/188752
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/6655
Exploit, Vendor Advisory vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/2823
Vendor Advisory x_refsource_confirm
http://support.microsoft.com/default.aspx?scid=kb%3BEN-US%3Bq234241
Scores
EPSS
0.3558
EPSS Percentile
97.1%
Details
Status
published
Products (11)
microsoft/outlook
97
microsoft/outlook
98
microsoft/outlook
2000
microsoft/outlook_express
4.0
microsoft/outlook_express
4.5
microsoft/outlook_express
4.27.3110
microsoft/outlook_express
4.72.2106
microsoft/outlook_express
4.72.3120.0
microsoft/outlook_express
4.72.3612
microsoft/outlook_express
5.0
... and 1 more
Published
Jun 05, 2001
Tracked Since
Feb 18, 2026