[email protected]CVE-2008-3663

HistorySep 24, 2008 - 2:56 p.m.

CVE-2008-3663

2008-09-2414:56:00

CWE-310

[email protected]

web.nvd.nist.gov

cve-2008-3663

squirrelmail

session cookie

security

https

http requests

6.2 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.1%

JSON

Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

CPENameOperatorVersion
squirrelmail:squirrelmailsquirrelmaileq1.4.15

CPE	Name	Operator	Version
squirrelmail:squirrelmail	squirrelmail	eq	1.4.15

References

int21.de/cve/CVE-2008-3663-squirrelmail.html

lists.apple.com/archives/security-announce/2009/Feb/msg00000.html

lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html

lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

secunia.com/advisories/33937

securityreason.com/securityalert/4304

support.apple.com/kb/HT3438

www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html

www.securityfocus.com/archive/1/496601/100/0/threaded

www.securityfocus.com/bid/31321

exchange.xforce.ibmcloud.com/vulnerabilities/45700

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548

6.2 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

75.1%

JSON

Related for CVE-2008-3663

nessus14 openvas33 fedora6 veracode1 securityvulns2 freebsd1 prion2 seebug2 redhat1 oraclelinux2 ubuntucve2 cve1 centos1