Some versions of SquirrelMail do not properly validate input. Attackers can spoof email addresses through this vulnerability.
An attacker could craft an email message to a SquirrelMail user which, when read by the user, could automatically send email from the user's account to any address of the attacker's choice. This vulnerability could also be used in a cross-site scripting attack to hijack an authenticated user's session.
Upgrade SquirrelMail to version 1.2.4 or later, available from:
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Notified: January 28, 2002 Updated: May 30, 2002
"SquirrelMail 1.2.4 is the release that fixed the problem."
The vendor has not provided us with any further information regarding this vulnerability.
Upgrade SquirrelMail to version 1.2.4 or later, available from
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A
Thanks to Tom McAdam for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
CVE IDs: | CVE-2002-1648
Severity Metric:** | 1.07
Date Public: | 2002-01-24
Date First Published: | 2002-05-30
Date Last Updated: | 2007-05-10 17:06 UTC
Document Revision: | 12