squirrelmail: XSS issue caused by an insufficient html mail sanitation

🗓️ 12 Jan 2009 14:24:00Reported by RedHatType

redhat

redhat🔗 access.redhat.com👁 1 Views

Cross site scripting in SquirrelMail before 1.4.17 allows remote attackers to inject script via a hyperlink in an HTML email.

Reporter	Title	Published	Views	Family All 72
Tenable Nessus	CentOS 3 / 4 / 5 : squirrelmail (CESA-2009:0010)	13 Jan 200900:00	–	nessus
Tenable Nessus	Debian DSA-1682-1 : squirrelmail - insufficient input sanitising	11 Dec 200800:00	–	nessus
Tenable Nessus	Fedora 9 : squirrelmail-1.4.17-1.fc9 (2008-10740)	8 Dec 200800:00	–	nessus
Tenable Nessus	Fedora 10 : squirrelmail-1.4.17-2.fc10 (2008-10748)	23 Apr 200900:00	–	nessus
Tenable Nessus	Fedora 8 : squirrelmail-1.4.17-1.fc8 (2008-10918)	8 Dec 200800:00	–	nessus
Tenable Nessus	Fedora 9 : squirrelmail-1.4.18-1.fc9 (2009-4870)	13 May 200900:00	–	nessus
Tenable Nessus	Fedora 10 : squirrelmail-1.4.19-1.fc10 (2009-5350)	26 May 200900:00	–	nessus
Tenable Nessus	Fedora 9 : squirrelmail-1.4.19-1.fc9 (2009-5471)	26 May 200900:00	–	nessus
Tenable Nessus	FreeBSD : squirrelmail -- XSS vulnerability (d1ce8a4f-c235-11dd-8cbc-00163e000016)	5 Dec 200800:00	–	nessus
Tenable Nessus	Mac OS X Multiple Vulnerabilities (Security Update 2009-001)	13 Feb 200900:00	–	nessus

OS	OS Version	Architecture	Package	Package Version	Filename
Red Hat Enterprise Linux	4	any	squirrelmail	0:1.4.8-5.el4_7.2	squirrelmail-0:1.4.8-5.el4_7.2.noarch.rpm
Red Hat Enterprise Linux	5	any	squirrelmail	0:1.4.8-5.el5_2.2	squirrelmail-0:1.4.8-5.el5_2.2.noarch.rpm
Red Hat Enterprise Linux	3	any	squirrelmail	0:1.4.8-8.el3	squirrelmail-0:1.4.8-8.el3.noarch.rpm

Source	Link
access	www.access.redhat.com/security/cve/CVE-2008-2379
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
nvd	www.nvd.nist.gov/vuln/detail/CVE-2008-2379
cve	www.cve.org/CVERecord

21 Nov 2025 17:34Current

5.9Medium risk

Vulners AI Score5.9

CVSS 24.3

EPSS0.01323

SquirrelMail Cross site scripting Vulnerability Hyperlink HTML email Remote attackers