An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks.
References
Link | Resource |
---|---|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=167471 | Patch Vendor Advisory |
http://www.debian.org/security/2002/dsa-191 | Vendor Advisory |
http://www.redhat.com/support/errata/RHSA-2003-042.html | Patch Vendor Advisory |
http://www.securityfocus.com/bid/7019 | |
http://www.iss.net/security_center/static/10634.php | |
http://secunia.com/advisories/8220 |
Configurations
Information
Published : 2002-11-28 21:00
Updated : 2008-09-05 13:30
NVD link : CVE-2002-1276
Mitre link : CVE-2002-1276
JSON object : View
CWE
Products Affected
squirrelmail
- squirrelmail