Squirrelmail
by SquirrelMail
CVEs (67)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2002-1648 | 0.00 | — | 0.03 | Dec 31, 2002 | Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters. | |||
| CVE-2002-1649 | 0.00 | — | 0.01 | Dec 31, 2002 | Cross-site scripting (XSS) vulnerability in read_body.php in SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary Javascript via a javascript: URL in an IMG tag. | |||
| CVE-2002-1650 | 0.00 | — | 0.04 | Dec 31, 2002 | The spell checker plugin (check_me.mod.php) for SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary commands via a modified sqspell_command parameter. | |||
| CVE-2002-1341 | 0.00 | — | 0.02 | Dec 18, 2002 | Cross-site scripting (XSS) vulnerability in read_body.php for SquirrelMail 1.2.10, 1.2.9, and earlier allows remote attackers to insert script and HTML via the (1) mailbox and (2) passed_id parameters. | |||
| CVE-2002-1276 | 0.00 | — | 0.01 | Nov 29, 2002 | An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks. | |||
| CVE-2002-1132 | 0.00 | — | 0.02 | Oct 4, 2002 | SquirrelMail 1.2.7 and earlier allows remote attackers to determine the absolute pathname of the options.php script via a malformed optpage file argument, which generates an error message when the file cannot be included in the script. | |||
| CVE-2001-1159 | 0.00 | — | 0.04 | Jul 2, 2001 | load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitrary code by using… |
- CVE-2002-1648Dec 31, 2002risk 0.00cvss —epss 0.03
Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters.
- CVE-2002-1649Dec 31, 2002risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in read_body.php in SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary Javascript via a javascript: URL in an IMG tag.
- CVE-2002-1650Dec 31, 2002risk 0.00cvss —epss 0.04
The spell checker plugin (check_me.mod.php) for SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary commands via a modified sqspell_command parameter.
- CVE-2002-1341Dec 18, 2002risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in read_body.php for SquirrelMail 1.2.10, 1.2.9, and earlier allows remote attackers to insert script and HTML via the (1) mailbox and (2) passed_id parameters.
- CVE-2002-1276Nov 29, 2002risk 0.00cvss —epss 0.01
An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks.
- CVE-2002-1132Oct 4, 2002risk 0.00cvss —epss 0.02
SquirrelMail 1.2.7 and earlier allows remote attackers to determine the absolute pathname of the options.php script via a malformed optpage file argument, which generates an error message when the file cannot be included in the script.
- CVE-2001-1159Jul 2, 2001risk 0.00cvss —epss 0.04
load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitrary code by using…
Page 4 of 4