Total
67 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2009-2964 | 1 Squirrelmail | 1 Squirrelmail | 2017-09-18 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | |||||
CVE-2011-2752 | 1 Squirrelmail | 1 Squirrelmail | 2017-08-28 | 5.8 MEDIUM | N/A |
CRLF injection vulnerability in SquirrelMail 1.4.21 and earlier allows remote attackers to modify or add preference values via a \n (newline) character, a different vulnerability than CVE-2010-4555. | |||||
CVE-2011-2753 | 1 Squirrelmail | 1 Squirrelmail | 2017-08-28 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the empty trash implementation and (2) the Index Order (aka options_order) page, a different issue than CVE-2010-4555. | |||||
CVE-2010-4555 | 1 Squirrelmail | 1 Squirrelmail | 2017-08-16 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors associated with the Index Order (aka options_order) page. | |||||
CVE-2010-4554 | 1 Squirrelmail | 1 Squirrelmail | 2017-08-16 | 4.3 MEDIUM | N/A |
functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. | |||||
CVE-2010-2813 | 1 Squirrelmail | 1 Squirrelmail | 2017-08-16 | 5.0 MEDIUM | N/A |
functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. | |||||
CVE-2006-3174 | 1 Squirrelmail | 1 Squirrelmail | 2017-07-19 | 2.6 LOW | N/A |
Cross-site scripting (XSS) vulnerability in search.php in SquirrelMail 1.5.1 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary HTML via the mailbox parameter. | |||||
CVE-2006-3665 | 1 Squirrelmail | 1 Squirrelmail | 2017-07-19 | 4.3 MEDIUM | N/A |
SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack cookies in src/redirect.php via unknown vectors. NOTE: while "cookie theft" is frequently associated with XSS, the vendor disclosure is too vague to be certain of this. | |||||
CVE-2004-0639 | 3 Open Webmail, Sgi, Squirrelmail | 3 Open Webmail, Propack, Squirrelmail | 2017-07-10 | 6.8 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable. | |||||
CVE-2002-1341 | 1 Squirrelmail | 1 Squirrelmail | 2017-07-10 | 6.8 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in read_body.php for SquirrelMail 1.2.10, 1.2.9, and earlier allows remote attackers to insert script and HTML via the (1) mailbox and (2) passed_id parameters. | |||||
CVE-2003-0990 | 1 Squirrelmail | 2 Gpg Plugin, Squirrelmail | 2017-07-10 | 7.5 HIGH | N/A |
The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field. | |||||
CVE-2002-2086 | 1 Squirrelmail | 1 Squirrelmail | 2017-07-10 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in magicHTML of SquirrelMail before 1.2.6 allow remote attackers to inject arbitrary web script or HTML via (1) "<<script" in unspecified input fields or (2) a javascript: URL in the src attribute of an IMG tag. | |||||
CVE-2002-1650 | 1 Squirrelmail | 1 Squirrelmail | 2017-07-10 | 7.5 HIGH | N/A |
The spell checker plugin (check_me.mod.php) for SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary commands via a modified sqspell_command parameter. | |||||
CVE-2002-1649 | 1 Squirrelmail | 1 Squirrelmail | 2017-07-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in read_body.php in SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary Javascript via a javascript: URL in an IMG tag. | |||||
CVE-2002-1648 | 1 Squirrelmail | 1 Squirrelmail | 2017-07-10 | 7.5 HIGH | N/A |
Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters. | |||||
CVE-2012-0323 | 2 Paul Lesniewsk, Squirrelmail | 2 Autocomplete, Squirrelmail | 2012-07-01 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Autocomplete plugin before 3.0 for SquirrelMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2011-2023 | 1 Squirrelmail | 1 Squirrelmail | 2012-02-13 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message. | |||||
CVE-2010-1637 | 1 Squirrelmail | 1 Squirrelmail | 2012-02-13 | 4.0 MEDIUM | N/A |
The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. | |||||
CVE-2007-3636 | 1 Squirrelmail | 2 Gpg Plugin, Squirrelmail | 2008-11-14 | 7.5 HIGH | N/A |
Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for Squirrelmail allow remote attackers to execute arbitrary commands via unspecified vectors. NOTE: this information is based upon a vague pre-advisory from a reliable researcher. | |||||
CVE-2007-3634 | 1 Squirrelmail | 2 Gpg Plugin, Squirrelmail | 2008-11-14 | 6.5 MEDIUM | N/A |
Unspecified vulnerability in the G/PGP (GPG) Plugin 2.0 for Squirrelmail 1.4.10a allows remote authenticated users to execute arbitrary commands via unspecified vectors, possibly related to the passphrase variable in the gpg_sign_attachment function, aka ZD-00000004. this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine. |