CVE-2020-37248
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, allowing STRIPTLS and man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.
Risk Assessment
The organization is at risk of credential interception by attackers, potentially leading to unauthorized access to user accounts.
Recommendation
It is recommended to upgrade OfflineIMAP to version 8.0.3 or later to mitigate this vulnerability.
Original NVD description (English source)
OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext.

