VYPR
← All advisories
Unrated severityNVD Advisory· Published May 14, 2009· Updated Apr 23, 2026

CVE-2009-1578

CVE-2009-1578

Description

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SquirrelMail before 1.4.18 and NaSMail before 1.7 contain multiple XSS flaws via encrypted email headers, PHP_SELF, and QUERY_STRING.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in SquirrelMail versions before 1.4.18 and NaSMail before 1.7. The flaws allow attackers to inject arbitrary web script or HTML via (1) certain encrypted strings in email headers, related to contrib/decrypt_headers.php; (2) the PHP_SELF variable; and (3) the query string (QUERY_STRING). These vectors are reachable without special configuration, as they involve core input-handling routines in the webmail interface [1][2][3][4].

Exploitation

An attacker can exploit these vulnerabilities by sending a crafted email containing malicious encrypted strings in headers, or by constructing a malicious URL that manipulates PHP_SELF or the query string. No authentication is required; the attacker only needs to deliver the payload to a victim who accesses the vulnerable SquirrelMail or NaSMail interface. For the email header vector, the attacker must control the encrypted content in the header [1][2][3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the victim's browser within the security context of the webmail application. This can lead to session hijacking, credential theft, and other client-side attacks. The impact is limited to the scope of the user's session on the affected webmail system [1][2][3][4].

Mitigation

SquirrelMail addressed these issues in version 1.4.18. NaSMail fixed them in version 1.7. Users should upgrade to these or later versions. If an upgrade is not immediately possible, administrators should restrict access to the webmail interface and ensure no untrusted content can reach the vulnerable scripts [1][2][3][4].

References
  1. About the security content of Security Update 2010-004 / Mac OS X v10.6.4 - Apple Support
  2. Support
  3. SquirrelMail
  4. SquirrelMail

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

61
  • SquirrelMail/Squirrelmail60 versions
    cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*+ 59 more
    • cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.3pre1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.3pre2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.4pre1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.4pre2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.5pre1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:0.5pre2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0pre1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0pre2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.0pre3:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.0_rc3:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc2a:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.10:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.10a:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.11:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.12:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.15_rc1:*:*:*:*:*:*:*
    • cpe:2.3:a:squirrelmail:squirrelmail:1.4.16:*:*:*:*:*:*:*
    • (no CPE)range: <1.4.18
  • NaSMail/NaSMailllm-fuzzy
    Range: <1.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

32

News mentions

0

No linked articles in our index yet.