OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
{ "source": [ "DESCRIPTION", "REFERENCES" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "8.0.3" } ] }
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-37248.json"