Vendor CVEs
SquirrelMail
All CVEs
79 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7692 | Hig | 0.63 | 8.8 | 0.32 | Apr 20, 2017 | SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The… | ||
| CVE-2018-8741 | Hig | 0.58 | 8.8 | 0.04 | Mar 17, 2018 | A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete) files from the hosting server, related to ../ in the att_local_name field in Deliver.class.php. | ||
| CVE-2025-30090 | Hig | 0.47 | 7.2 | 0.00 | Apr 2, 2025 | mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true. | ||
| CVE-2010-1637 | Med | 0.42 | 6.5 | 0.03 | Jun 22, 2010 | The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. | ||
| CVE-2018-14955 | Med | 0.40 | 6.1 | 0.01 | Aug 5, 2018 | The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute). | ||
| CVE-2018-14954 | Med | 0.40 | 6.1 | 0.02 | Aug 5, 2018 | The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute. | ||
| CVE-2018-14953 | Med | 0.40 | 6.1 | 0.01 | Aug 5, 2018 | The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. | ||
| CVE-2018-14952 | Med | 0.40 | 6.1 | 0.01 | Aug 5, 2018 | The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<maction xlink:href=" attack. | ||
| CVE-2018-14951 | Med | 0.40 | 6.1 | 0.01 | Aug 5, 2018 | The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. | ||
| CVE-2018-14950 | Med | 0.40 | 6.1 | 0.01 | Aug 5, 2018 | The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<a xlink:href=" attack. | ||
| CVE-2006-2842 | 0.07 | — | 0.47 | Jun 6, 2006 | PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue… | |||
| CVE-2004-0519 | 0.05 | — | 0.23 | Aug 18, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. | |||
| CVE-2003-0990 | 0.05 | — | 0.29 | Jan 20, 2004 | The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field. | |||
| CVE-2002-1131 | 0.05 | — | 0.26 | Oct 4, 2002 | Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php. | |||
| CVE-2006-4019 | 0.04 | — | 0.09 | Aug 11, 2006 | Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users. | |||
| CVE-2005-1924 | 0.04 | — | 0.10 | Dec 31, 2005 | The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php,… | |||
| CVE-2004-0520 | 0.04 | — | 0.07 | Aug 18, 2004 | Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. | |||
| CVE-2002-0516 | 0.04 | — | 0.11 | Aug 12, 2002 | SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie. | |||
| CVE-2007-3636 | 0.03 | — | 0.03 | Jul 10, 2007 | Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for Squirrelmail allow remote attackers to execute arbitrary commands via unspecified vectors. NOTE: this information is based upon a vague pre-advisory from a reliable researcher. | |||
| CVE-2006-0331 | 0.03 | — | 0.01 | Jan 21, 2006 | Buffer overflow in Change passwd 3.1 (chpasswd) SquirrelMail plugin allows local users to execute arbitrary code via long command line arguments. | |||
| CVE-2005-3128 | 0.03 | — | 0.03 | Oct 4, 2005 | Cross-site scripting (XSS) vulnerability in add.php in Address Add Plugin 1.9 and 2.0 for Squirrelmail allows remote attackers to inject arbitrary web script or HTML via the IMG tag. | |||
| CVE-2005-2095 | 0.03 | — | 0.04 | Jul 13, 2005 | options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files. | |||
| CVE-2004-0524 | 0.03 | — | 0.05 | Aug 6, 2004 | Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name. | |||
| CVE-2004-0639 | 0.03 | — | 0.06 | Aug 6, 2004 | Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors… | |||
| CVE-2020-14932 | 0.00 | — | 0.01 | Jun 20, 2020 | compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php. | |||
| CVE-2020-14933 | 0.00 | — | 0.01 | Jun 20, 2020 | compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup… | |||
| CVE-2012-5623 | 0.00 | — | 0.01 | Feb 13, 2020 | Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords. | |||
| CVE-2019-12970 | 0.00 | — | 0.02 | Jul 1, 2019 | XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context… | |||
| CVE-2012-2124 | 0.00 | — | 0.02 | Jan 18, 2013 | functions/imap_general.php in SquirrelMail, as used in Red Hat Enterprise Linux (RHEL) 4 and 5, does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different… | |||
| CVE-2012-0323 | 0.00 | — | 0.01 | Mar 9, 2012 | Cross-site scripting (XSS) vulnerability in the Autocomplete plugin before 3.0 for SquirrelMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2011-2753 | 0.00 | — | 0.01 | Jul 17, 2011 | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the empty trash implementation and (2) the Index Order (aka options_order) page, a… | |||
| CVE-2011-2752 | 0.00 | — | 0.02 | Jul 17, 2011 | CRLF injection vulnerability in SquirrelMail 1.4.21 and earlier allows remote attackers to modify or add preference values via a \n (newline) character, a different vulnerability than CVE-2010-4555. | |||
| CVE-2011-2023 | 0.00 | — | 0.02 | Jul 14, 2011 | Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message. | |||
| CVE-2010-4555 | 0.00 | — | 0.02 | Jul 14, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin,… | |||
| CVE-2010-4554 | 0.00 | — | 0.02 | Jul 14, 2011 | functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. | |||
| CVE-2010-2813 | 0.00 | — | 0.04 | Aug 19, 2010 | functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of… | |||
| CVE-2009-2964 | 0.00 | — | 0.02 | Aug 25, 2009 | Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1)… | |||
| CVE-2009-1381 | 0.00 | — | 0.03 | May 22, 2009 | The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the… | |||
| CVE-2009-1581 | 0.00 | — | 0.02 | May 14, 2009 | functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing… | |||
| CVE-2009-1580 | 0.00 | — | 0.02 | May 14, 2009 | Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. | |||
| CVE-2009-1579 | 0.00 | — | 0.03 | May 14, 2009 | The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. | |||
| CVE-2009-1578 | 0.00 | — | 0.02 | May 14, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php;… | |||
| CVE-2009-0030 | 0.00 | — | 0.02 | Jan 21, 2009 | A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. … | |||
| CVE-2008-2379 | 0.00 | — | 0.02 | Dec 5, 2008 | Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. | |||
| CVE-2008-3663 | 0.00 | — | 0.02 | Sep 24, 2008 | Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||
| CVE-2007-6348 | 0.00 | — | 0.04 | Dec 14, 2007 | SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code. | |||
| CVE-2007-3779 | 0.00 | — | 0.01 | Jul 15, 2007 | PHP local file inclusion vulnerability in gpg_pop_init.php in the G/PGP (GPG) Plugin before 20070707 for Squirrelmail allows remote attackers to include and execute arbitrary local files, related to the MOD parameter. | |||
| CVE-2007-3778 | 0.00 | — | 0.03 | Jul 15, 2007 | The G/PGP (GPG) Plugin 2.0, and 2.1dev before 20060912, for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the messageSignedText parameter to the gpg_check_sign_pgp_mime function in gpg_hook_functions.php. NOTE: a parameter value… | |||
| CVE-2006-4169 | 0.00 | — | 0.02 | Jul 15, 2007 | Multiple directory traversal vulnerabilities in the G/PGP (GPG) Plugin 2.0, and 2.1dev before 20070614, for Squirrelmail allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the help parameter to (1) gpg_help.php or (2)… | |||
| CVE-2007-3634 | 0.00 | — | 0.02 | Jul 10, 2007 | Unspecified vulnerability in the G/PGP (GPG) Plugin 2.0 for Squirrelmail 1.4.10a allows remote authenticated users to execute arbitrary commands via unspecified vectors, possibly related to the passphrase variable in the gpg_sign_attachment function, aka ZD-00000004. this… |
- risk 0.63cvss 8.8epss 0.32
SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. The…
- risk 0.58cvss 8.8epss 0.04
A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete) files from the hosting server, related to ../ in the att_local_name field in Deliver.class.php.
- risk 0.47cvss 7.2epss 0.00
mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.
- risk 0.42cvss 6.5epss 0.03
The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number.
- risk 0.40cvss 6.1epss 0.01
The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute).
- risk 0.40cvss 6.1epss 0.02
The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute.
- risk 0.40cvss 6.1epss 0.01
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack.
- risk 0.40cvss 6.1epss 0.01
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<maction xlink:href=" attack.
- risk 0.40cvss 6.1epss 0.01
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack.
- risk 0.40cvss 6.1epss 0.01
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<a xlink:href=" attack.
- CVE-2006-2842Jun 6, 2006risk 0.07cvss —epss 0.47
PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue…
- CVE-2004-0519Aug 18, 2004risk 0.05cvss —epss 0.23
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
- CVE-2003-0990Jan 20, 2004risk 0.05cvss —epss 0.29
The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field.
- CVE-2002-1131Oct 4, 2002risk 0.05cvss —epss 0.26
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.
- CVE-2006-4019Aug 11, 2006risk 0.04cvss —epss 0.09
Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users.
- CVE-2005-1924Dec 31, 2005risk 0.04cvss —epss 0.10
The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php,…
- CVE-2004-0520Aug 18, 2004risk 0.04cvss —epss 0.07
Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.
- CVE-2002-0516Aug 12, 2002risk 0.04cvss —epss 0.11
SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie.
- CVE-2007-3636Jul 10, 2007risk 0.03cvss —epss 0.03
Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for Squirrelmail allow remote attackers to execute arbitrary commands via unspecified vectors. NOTE: this information is based upon a vague pre-advisory from a reliable researcher.
- CVE-2006-0331Jan 21, 2006risk 0.03cvss —epss 0.01
Buffer overflow in Change passwd 3.1 (chpasswd) SquirrelMail plugin allows local users to execute arbitrary code via long command line arguments.
- CVE-2005-3128Oct 4, 2005risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in add.php in Address Add Plugin 1.9 and 2.0 for Squirrelmail allows remote attackers to inject arbitrary web script or HTML via the IMG tag.
- CVE-2005-2095Jul 13, 2005risk 0.03cvss —epss 0.04
options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files.
- CVE-2004-0524Aug 6, 2004risk 0.03cvss —epss 0.05
Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name.
- CVE-2004-0639Aug 6, 2004risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors…
- CVE-2020-14932Jun 20, 2020risk 0.00cvss —epss 0.01
compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php.
- CVE-2020-14933Jun 20, 2020risk 0.00cvss —epss 0.01
compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup…
- CVE-2012-5623Feb 13, 2020risk 0.00cvss —epss 0.01
Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords.
- CVE-2019-12970Jul 1, 2019risk 0.00cvss —epss 0.02
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context…
- CVE-2012-2124Jan 18, 2013risk 0.00cvss —epss 0.02
functions/imap_general.php in SquirrelMail, as used in Red Hat Enterprise Linux (RHEL) 4 and 5, does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different…
- CVE-2012-0323Mar 9, 2012risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the Autocomplete plugin before 3.0 for SquirrelMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2011-2753Jul 17, 2011risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the empty trash implementation and (2) the Index Order (aka options_order) page, a…
- CVE-2011-2752Jul 17, 2011risk 0.00cvss —epss 0.02
CRLF injection vulnerability in SquirrelMail 1.4.21 and earlier allows remote attackers to modify or add preference values via a \n (newline) character, a different vulnerability than CVE-2010-4555.
- CVE-2011-2023Jul 14, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message.
- CVE-2010-4555Jul 14, 2011risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin,…
- CVE-2010-4554Jul 14, 2011risk 0.00cvss —epss 0.02
functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
- CVE-2010-2813Aug 19, 2010risk 0.00cvss —epss 0.04
functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of…
- CVE-2009-2964Aug 25, 2009risk 0.00cvss —epss 0.02
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1)…
- CVE-2009-1381May 22, 2009risk 0.00cvss —epss 0.03
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the…
- CVE-2009-1581May 14, 2009risk 0.00cvss —epss 0.02
functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing…
- CVE-2009-1580May 14, 2009risk 0.00cvss —epss 0.02
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie.
- CVE-2009-1579May 14, 2009risk 0.00cvss —epss 0.03
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.
- CVE-2009-1578May 14, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php;…
- CVE-2009-0030Jan 21, 2009risk 0.00cvss —epss 0.02
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. …
- CVE-2008-2379Dec 5, 2008risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.
- CVE-2008-3663Sep 24, 2008risk 0.00cvss —epss 0.02
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
- CVE-2007-6348Dec 14, 2007risk 0.00cvss —epss 0.04
SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code.
- CVE-2007-3779Jul 15, 2007risk 0.00cvss —epss 0.01
PHP local file inclusion vulnerability in gpg_pop_init.php in the G/PGP (GPG) Plugin before 20070707 for Squirrelmail allows remote attackers to include and execute arbitrary local files, related to the MOD parameter.
- CVE-2007-3778Jul 15, 2007risk 0.00cvss —epss 0.03
The G/PGP (GPG) Plugin 2.0, and 2.1dev before 20060912, for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the messageSignedText parameter to the gpg_check_sign_pgp_mime function in gpg_hook_functions.php. NOTE: a parameter value…
- CVE-2006-4169Jul 15, 2007risk 0.00cvss —epss 0.02
Multiple directory traversal vulnerabilities in the G/PGP (GPG) Plugin 2.0, and 2.1dev before 20070614, for Squirrelmail allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the help parameter to (1) gpg_help.php or (2)…
- CVE-2007-3634Jul 10, 2007risk 0.00cvss —epss 0.02
Unspecified vulnerability in the G/PGP (GPG) Plugin 2.0 for Squirrelmail 1.4.10a allows remote authenticated users to execute arbitrary commands via unspecified vectors, possibly related to the passphrase variable in the gpg_sign_attachment function, aka ZD-00000004. this…
Page 1 of 2