Unrated severityNVD Advisory· Published Jun 5, 2001· Updated Apr 16, 2026

CVE-2001-1088

Description

Microsoft Outlook 8.5 and earlier, and Outlook Express 5 and earlier, with the "Automatically put people I reply to in my address book" option enabled, do not notify the user when the "Reply-To" address is different than the "From" address, which could allow an untrusted remote attacker to spoof legitimate addresses and intercept email from the client that is intended for another user.

Affected products

Microsoft/Outlook3 versions
cpe:2.3:a:microsoft:outlook:2000:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:microsoft:outlook:2000:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook:97:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook:98:*:*:*:*:*:*:*
Microsoft/Outlook Express8 versions
cpe:2.3:a:microsoft:outlook_express:4.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:microsoft:outlook_express:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:4.27.3110:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:4.5:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:4.72.2106:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:4.72.3120.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:4.72.3612:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:5.5:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/archive/1/188752nvdExploitVendor Advisory
www.securityfocus.com/bid/2823nvdExploitVendor Advisory
support.microsoft.com/default.aspxnvd
exchange.xforce.ibmcloud.com/vulnerabilities/6655nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.038
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000