BASP21 vulnerable to mail header injection


BASP21 provided by B21Soft, Inc. is a component for Windows applications. BASP21 contains a mail header injection vulnerability.

Tomoki Sanaki reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

  • BASP21 Bsendm.exe prior to V2,7,5,31
  • BASP21 Bsmtp.dll prior to V2,7,5,31
  • BASP21 Pro basp21p.dll versions prior to 1,0,704,16


The header of an email created by BASP21 to be sent from a web application mail form may be altered by an unauthenticated remote attacker. As a result, an unintended email may be sent or a denial-of-service (DoS) condition may be caused.

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2007-1713

  1. JVN : JVN#86092776
  2. JVN : JVN#70380788
  3. National Vulnerability Database (NVD) : CVE-2007-1713
  4. IPA SECURITY ALERTS : Security Alert for Vulnerability in BASP21 (JVN#86092776) (in Japanese)
  5. Secunia Advisory : SA24652
  6. SecurityFocus : 23134
  7. ISS X-Force Database : 33211
  8. FrSIRT Advisories : FrSIRT/ADV-2007-1113
Revision History

  • [2008/05/21]
      Web page published
      Title was modified
      Overview was modified
      CVSS Severity was modified
      Affected Products were modified
      Impact was modified
      Solution was modified
      CWE : CWE-ID was added
      References : Contents were added