Lucene search

K
cveRedhatCVE-2009-0030
HistoryJan 21, 2009 - 8:30 p.m.

CVE-2009-0030

2009-01-2120:30:00
CWE-287
redhat
web.nvd.nist.gov
41
red hat
squirrelmail
sqmsessid
webmail
cve-2009-0030
cve-2008-3663
security vulnerability
authentication
remote access

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

7.2

Confidence

High

EPSS

0.005

Percentile

76.4%

A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users’ folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.

Affected configurations

Nvd
Node
squirrelmailsquirrelmailMatch1.4.8
VendorProductVersionCPE
squirrelmailsquirrelmail1.4.8cpe:2.3:a:squirrelmail:squirrelmail:1.4.8:*:*:*:*:*:*:*

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

7.2

Confidence

High

EPSS

0.005

Percentile

76.4%