CVE-2009-1581
Description
functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SquirrelMail before 1.4.18 fails to protect from CSS positioning in HTML emails, enabling UI spoofing, XSS, and phishing.
Vulnerability
SquirrelMail, a webmail application, does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML email messages. The vulnerability resides in functions/mime.php and affects versions before 1.4.18. No special configuration is required for the code path to be reachable; the application processes inline CSS within HTML emails by default [2][3][4].
Exploitation
An attacker can send a crafted HTML email containing CSS positioning instructions. The victim only needs to view the email in SquirrelMail. No authentication or special network position is required as the attacker sends the message via standard SMTP. The CSS can reposition UI elements of the SquirrelMail interface, allowing the attacker to overlay malicious content on top of legitimate controls [1][2][4].
Impact
Successful exploitation allows the attacker to spoof the user interface, potentially tricking the victim into performing actions such as disclosing credentials or clicking on malicious links. This effectively enables cross-site scripting (XSS) and phishing attacks within the context of the SquirrelMail session, compromising the confidentiality and integrity of user data [1][2][3].
Mitigation
The vulnerability is fixed in SquirrelMail version 1.4.18 and later [2][3]. Users should upgrade to 1.4.18 or newer. Affected Apple Mac OS X systems shipped with SquirrelMail; Apple addressed this in Security Update 2010-004 for Mac OS X v10.6.4 [1]. No workarounds are documented in the provided references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
60cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*+ 59 more
- cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.4pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.4pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.5pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.5pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0pre3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.0_rc3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc2a:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.10a:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.15_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.16:*:*:*:*:*:*:*
- (no CPE)range: <1.4.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
23- bugzilla.redhat.com/show_bug.cginvdPatch
- secunia.com/advisories/35052nvdVendor Advisory
- secunia.com/advisories/35073nvdVendor Advisory
- www.vupen.com/english/advisories/2009/1296nvdVendor Advisory
- lists.apple.com/archives/security-announce/2010//Jun/msg00001.htmlnvd
- secunia.com/advisories/35140nvd
- secunia.com/advisories/35259nvd
- secunia.com/advisories/40220nvd
- squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLognvd
- squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/mime.phpnvd
- squirrelmail.svn.sourceforge.net/viewvc/squirrelmailnvd
- support.apple.com/kb/HT4188nvd
- www.debian.org/security/2009/dsa-1802nvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2009-1066.htmlnvd
- www.securityfocus.com/bid/34916nvd
- www.squirrelmail.org/security/issue/2009-05-12nvd
- www.vupen.com/english/advisories/2010/1481nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/50463nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10441nvd
- www.redhat.com/archives/fedora-package-announce/2009-May/msg00566.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2009-May/msg00572.htmlnvd
- www.redhat.com/archives/fedora-package-announce/2009-May/msg00577.htmlnvd
News mentions
0No linked articles in our index yet.