Lucene search

GoogleOSV:DSA-820-1

HistorySep 24, 2005 - 12:00 a.m.

courier - missing input sanitising

2005-09-2400:00:00

Google

osv.dev

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Jakob Balle discovered that with “Conditional Comments” in Internet
Explorer it is possible to hide javascript code in comments that will
be executed when the browser views a malicious email via sqwebmail.
Successful exploitation requires that the user is using Internet
Explorer.

For the old stable distribution (woody) this problem has been fixed in
version 0.37.3-2.7.

For the stable distribution (sarge) this problem has been fixed in
version 0.47-4sarge3.

For the unstable distribution (sid) this problem has been fixed in
version 0.47-9.

We recommend that you upgrade your sqwebmail package.

CPENameOperatorVersion
couriereq0.47-4sarge2
couriereq0.47-4
couriereq0.47-4sarge1

Name	Operator	Version
courier	eq	0.47-4sarge2
courier	eq	0.47-4
courier	eq	0.47-4sarge1

References

www.debian.org/security/2005/dsa-820

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Related for OSV:DSA-820-1