VYPR

Squirrelmail

by SquirrelMail

CVEs (67)

  • CVE-2017-7692HigApr 20, 2017
    risk 0.63cvss 8.8epss 0.32

    SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The…

  • CVE-2018-8741HigMar 17, 2018
    risk 0.58cvss 8.8epss 0.04

    A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete) files from the hosting server, related to ../ in the att_local_name field in Deliver.class.php.

  • CVE-2025-30090HigApr 2, 2025
    risk 0.47cvss 7.2epss 0.00

    mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.

  • CVE-2010-1637MedJun 22, 2010
    risk 0.42cvss 6.5epss 0.03

    The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number.

  • CVE-2018-14955MedAug 5, 2018
    risk 0.40cvss 6.1epss 0.01

    The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute).

  • CVE-2018-14954MedAug 5, 2018
    risk 0.40cvss 6.1epss 0.02

    The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute.

  • CVE-2018-14953MedAug 5, 2018
    risk 0.40cvss 6.1epss 0.01

    The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack.

  • CVE-2018-14952MedAug 5, 2018
    risk 0.40cvss 6.1epss 0.01

    The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<maction xlink:href=" attack.

  • CVE-2018-14951MedAug 5, 2018
    risk 0.40cvss 6.1epss 0.01

    The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack.

  • CVE-2018-14950MedAug 5, 2018
    risk 0.40cvss 6.1epss 0.01

    The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<a xlink:href=" attack.

  • CVE-2006-2842Jun 6, 2006
    risk 0.07cvss epss 0.47

    PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue…

  • CVE-2004-0519Aug 18, 2004
    risk 0.05cvss epss 0.23

    Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.

  • CVE-2003-0990Jan 20, 2004
    risk 0.05cvss epss 0.29

    The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field.

  • CVE-2002-1131Oct 4, 2002
    risk 0.05cvss epss 0.26

    Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.

  • CVE-2006-4019Aug 11, 2006
    risk 0.04cvss epss 0.09

    Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users.

  • CVE-2004-0520Aug 18, 2004
    risk 0.04cvss epss 0.07

    Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.

  • CVE-2002-0516Aug 12, 2002
    risk 0.04cvss epss 0.11

    SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie.

  • CVE-2007-3636Jul 10, 2007
    risk 0.03cvss epss 0.03

    Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for Squirrelmail allow remote attackers to execute arbitrary commands via unspecified vectors. NOTE: this information is based upon a vague pre-advisory from a reliable researcher.

  • CVE-2005-2095Jul 13, 2005
    risk 0.03cvss epss 0.04

    options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files.

  • CVE-2004-0639Aug 6, 2004
    risk 0.03cvss epss 0.06

    Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors…

Page 1 of 4