7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.02 Low
EPSS
Percentile
88.8%
Some versions of SquirrelMail do not properly validate input. Attackers can spoof email addresses through this vulnerability.
SquirrelMail is a collection of PHP4 scripts that provides webmail services. Prior to version 1.24, SquirrelMail does not properly validate Universal Resource Identifiers (URI’s) and JavaScript code embedded in HTML tags within an email message. These tags are sent by SquirrelMail to the user’s web browser, which could make the browser request the embedded URI’s or execute the JavaScript code.
An attacker could craft an email message to a SquirrelMail user which, when read by the user, could automatically send email from the user’s account to any address of the attacker’s choice. This vulnerability could also be used in a cross-site scripting attack to hijack an authenticated user’s session.
Upgrade SquirrelMail to version 1.2.4 or later, available from:
<http://www.squirrelmail.org/download.php>
153043
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 28, 2002 Updated: May 30, 2002
Affected
“SquirrelMail 1.2.4 is the release that fixed the problem.”
The vendor has not provided us with any further information regarding this vulnerability.
Upgrade SquirrelMail to version 1.2.4 or later, available from
<http://www.squirrelmail.org/download.php>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23153043 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Tom McAdam for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
CVE IDs: | CVE-2002-1648 |
---|---|
Severity Metric: | 1.07 Date Public: |