Lucene search
K
SquirrelmailSquirrelmail

64 matches found

CVE
CVE
added 2017/04/20 2:0 p.m.150 views

CVE-2017-7692

CVE-2017-7692 affects SquirrelMail up to 1.4.22 (and likely older in SVN builds) where the sendmail delivery path mishandles a user-controlled sendmail.cf via a popen call. The root cause is the use of escapeshellcmd() in Deliver_SendMail.class.php/initStream, which fails to escape spaces, enabli...

9CVSS9AI score0.32156EPSS
In wildWeb
CVE
CVE
added 2006/06/06 8:3 p.m.149 views

CVE-2006-2842

Summary: CVE-2006-2842 affects SquirrelMail 1.4.6 and earlier, with a PHP local/file inclusion vulnerability in functions/plugin.php when register_globals is enabled and magic_quotes_gpc is disabled. An attacker can induce LFI by supplying a URL in the plugins array parameter, potentially allowin...

7.5CVSS7.2AI score0.46565EPSS
CVE
CVE
added 2005/02/06 5:0 a.m.142 views

CVE-2005-0103

CVE-2005-0103 is a remote code execution vulnerability in SquirrelMail

7.5CVSS7.2AI score0.02342EPSS
CVE
CVE
added 2004/11/16 5:0 a.m.133 views

CVE-2004-1036

CVE-2004-1036 affects SquirrelMail prior to versions 1.4.3a and earlier, and 1.5.1-cvs before 23 Oct 2004. The vulnerability is a cross-site scripting (XSS) flaw in the decoding of encoded text in certain headers within mime.php, enabling remote attackers to run arbitrary web script or HTML in th...

6.8CVSS5.9AI score0.02818EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.125 views

CVE-2004-0521

CVE-2004-0521 affects SquirrelMail prior to version 1.4.3 RC1 through an SQL injection in abook_database.php. Root cause: improper input handling allows remote attackers to execute arbitrary SQL statements. Impact (per sources): confidentiality, integrity, and availability may be fully compromise...

10CVSS7.5AI score0.03152EPSS
CVE
CVE
added 2005/07/13 4:0 a.m.124 views

CVE-2005-2095

CVE-2005-2095 affects SquirrelMail

4.3CVSS8.8AI score0.04242EPSS
CVE
CVE
added 2019/07/01 10:32 a.m.123 views

CVE-2019-12970

CVE-2019-12970 is a disclosed XSS in SquirrelMail prior to updates addressing versions up to 1.4.22 and 1.5.x through 1.5.2. Root cause: improper handling of RCDATA/RAWTEXT in the sanitization mechanism allows bypass, enabling malicious script injection from HTML e-mails when assets such as NOEMB...

6.1CVSS5.7AI score0.01819EPSS
CVE
CVE
added 2006/08/11 9:0 p.m.118 views

CVE-2006-4019

CVE-2006-4019 affects SquirrelMail up to version 1.4.7, where a dynamic variable evaluation flaw in compose.php can allow an attacker to overwrite variables used by the script and influence actions, potentially reading/writing attachments and other users’ preferences. The issue stems from unsafe ...

6.4CVSS6.4AI score0.09234EPSS
CVE
CVE
added 2006/02/24 12:0 a.m.117 views

CVE-2006-0188

SquirrelMail webmail 1.4.0–1.4.5 is affected by CVE-2006-0188 (and related CVEs listed in advisory DSA-988-1/CESA-2006:0283), allowing remote attackers to inject arbitrary HTML via the right_frame parameter in webmail.php. Debian/Red Hat/CentOS advisories recommend upgrading to SquirrelMail 1.4.6...

4.3CVSS5.4AI score0.02002EPSS
CVE
CVE
added 2010/06/22 5:0 p.m.110 views

CVE-2010-1637

CVE-2010-1637 affects SquirrelMail up to version 1.4.20 with the Mail Fetch plugin. The vulnerability allows remote authenticated users to bypass firewall rules and proxy through a modified POP3 port to scan internal networks. The documented impact is limited to port-scanning capability via the M...

6.5CVSS5.9AI score0.02676EPSS
CVE
CVE
added 2005/02/06 5:0 a.m.108 views

CVE-2005-0104

CVE-2005-0104 is a cross-site scripting (XSS) vulnerability in SquirrelMail’s webmail.php prior to 1.4.4. The issue allows an attacker to inject arbitrary web script or HTML via certain integer variables, enabling an unchecked/unsanitized input path that can be reflected to users. Public referenc...

4.3CVSS5.4AI score0.01837EPSS
CVE
CVE
added 2006/02/24 12:0 a.m.108 views

CVE-2006-0195

CVE-2006-0195 affects SquirrelMail 1.4.0–1.4.5 and is caused by an interpretation conflict in the MagicHTML filter, enabling remote XSS via style sheet specifiers with invalid /* */ comments or a newline in the url specifier. Public advisories and OpenVAS entries reference related fixes; Debian/C...

4.3CVSS5.5AI score0.02034EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.105 views

CVE-2004-0519

SquirrelMail 1.4.x is affected by multiple cross-site scripting (XSS) vulnerabilities (e.g., via the mailbox parameter in compose.php) that could let remote attackers run arbitrary JavaScript in a user's browser and potentially steal authentication information. The issue concerns SquirrelMail ver...

6.8CVSS6.2AI score0.22528EPSS
CVE
CVE
added 2005/06/20 4:0 a.m.105 views

CVE-2005-1769

CVE-2005-1769 concerns multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail versions 1.4.0–1.4.4. The issues allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in the URL or in an e-mail message. The weaknesses have a CVSS v2 base score of 4.3 ...

4.3CVSS8.1AI score0.0183EPSS
CVE
CVE
added 2006/12/05 11:0 a.m.103 views

CVE-2006-6142

CVE-2006-6142 covers multiple XSS vulnerabilities in SquirrelMail 1.4.0–1.4.9. Vulnerabilities include injection of arbitrary web script/HTML via the mailto parameter in webmail.php, the session and delete_draft parameters in compose.php, and additional vectors related to a flaw in the magicHTML ...

6.8CVSS5.5AI score0.01924EPSS
CVE
CVE
added 2009/05/14 5:0 p.m.99 views

CVE-2009-1578

CVE-2009-1578 affects SquirrelMail < 1.4.18 and NaSMail

4.3CVSS6.6AI score0.01977EPSS
Web
CVE
CVE
added 2006/02/24 12:0 a.m.98 views

CVE-2006-0377

CVE-2006-0377 affects SquirrelMail 1.4.0–1.4.5, enabling CRLF injection in the sqimap_mailbox_select path to inject IMAP commands. The Debian/DSA-988 advisory and related OpenVAS entries confirm this trio of vulnerabilities and note a fixed version (Debian: 1.2.6-5 for old Woody; CentOS/Red Hat a...

5CVSS6.8AI score0.02296EPSS
Web
CVE
CVE
added 2006/06/23 12:0 a.m.98 views

CVE-2006-3174

CVE-2006-3174 is a cross-site scripting (XSS) vulnerability in SquirrelMail up to version 1.5.1, triggered in search.php when register_globals is enabled. An attacker could inject arbitrary HTML via the mailbox parameter, potentially affecting users who view the affected page. Connected documents...

2.6CVSS5.5AI score0.01671EPSS
CVE
CVE
added 2018/03/17 2:0 p.m.98 views

CVE-2018-8741

SquirrelMail 1.4.22 contains a directory traversal flaw in Deliver.class.php (att_local_name field) that can allow an authenticated attacker to exfiltrate or delete files on the hosting server. Public reports reference CVE-2018-8741 across multiple advisories (Debian DLA-1344-1; Fedora updates fo...

8.8CVSS8.3AI score0.04451EPSS
CVE
CVE
added 2009/05/14 5:0 p.m.96 views

CVE-2009-1579

CVE-2009-1579 affects SquirrelMail before 1.4.18 and NaSMail before 1.7. The flaw is in map_yp_alias within functions/imap_general.php, where a username string used by the ypmatch program can be crafted with shell metacharacters to execute arbitrary commands on the server. Public sources show mul...

6.8CVSS7.7AI score0.03399EPSS
CVE
CVE
added 2005/02/06 5:0 a.m.95 views

CVE-2005-0075

CVE-2005-0075 affects SquirrelMail

5CVSS6.3AI score0.01676EPSS
CVE
CVE
added 2011/07/14 11:0 p.m.90 views

CVE-2011-2023

CVE-2011-2023 affects SquirrelMail

4.3CVSS5.9AI score0.02324EPSS
Web
CVE
CVE
added 2010/08/19 5:43 p.m.89 views

CVE-2010-2813

SquirrelMail’s imap_general.php vulnerability (CVE-2010-2813) affects versions prior to 1.4.21, where 8-bit password handling allows remote attackers to trigger a denial of service (disk consumption) by issuing numerous IMAP login attempts with different usernames, causing many preferences files ...

5CVSS6.2AI score0.04048EPSS
CVE
CVE
added 2011/07/14 11:0 p.m.86 views

CVE-2010-4554

CVE-2010-4554 affects SquirrelMail 1.4.21 and earlier: the function page_header.php did not prevent rendering in a frame, enabling clickjacking via a crafted site. Remediation is via the backported patches in the 2012 security updates (e.g., RHSA-2012:0103 / ELSA-2012-0103) that restrict the main...

4.3CVSS6AI score0.01807EPSS
CVE
CVE
added 2007/05/11 3:55 a.m.83 views

CVE-2007-1262

CVE-2007-1262 affects SquirrelMail 1.4.0–1.4.9a with multiple HTML filter XSS weaknesses: injection via the data: URI in HTML email attachments injection via improper handling of non-ASCII characters when viewed in Internet Explorer.Exploitation could allow remote script execution within the user...

4.3CVSS5.4AI score0.0253EPSS
CVE
CVE
added 2002/09/24 4:0 a.m.82 views

CVE-2002-1131

SquirrelMail 1.2.6/1.2.7 is affected by a cross-site scripting vulnerability in the Virtual Keyboard plugin due to insufficient input sanitization. This could allow an attacker to execute arbitrary script in the victim’s browser (affecting users via the plugin). Debian/OpenVAS entries indicate fi...

7.5CVSS6.6AI score0.25754EPSS
Web
CVE
CVE
added 2009/05/14 5:0 p.m.81 views

CVE-2009-1581

CVE-2009-1581 affects SquirrelMail up to version 1.4.18, where functions/mime.php fails to protect against CSS positioning in HTML email. This allows a remote attacker to spoof the user interface and can enable cross-site scripting (XSS) and phishing via a crafted message. The connected advisorie...

4.3CVSS6.6AI score0.01745EPSS
CVE
CVE
added 2013/01/18 11:0 a.m.80 views

CVE-2012-2124

CVE-2012-2124 affects SquirrelMail’s imap_general.php used in RHEL 4/5; improper handling of 8-bit password characters allows remote attackers to cause DoS by spamming IMAP login attempts, creating many preference files. Root cause: an incorrect fix for CVE-2010-2813. Mitigation/fix references ap...

5CVSS6.4AI score0.02451EPSS
CVE
CVE
added 2004/07/09 4:0 a.m.78 views

CVE-2004-0639

CVE-2004-0639 affects SquirrelMail 1.2.0–1.2.10 (and earlier) with multiple XSS vectors in read_body.php and mailbox_display.php (also via event_title/event_text variables). Debian/DSA-535 notes four vulnerabilities including CVE-2004-0639; Debian fixes in 1.2.6-1.4 for Woody and 2:1.4.3a-0.1 for...

6.8CVSS5.8AI score0.05956EPSS
CVE
CVE
added 2008/12/05 12:0 a.m.78 views

CVE-2008-2379

CVE-2008-2379 is a cross-site scripting (XSS) vulnerability in SquirrelMail prior to 1.4.17, triggered by a crafted hyperlink in an HTML email part. The underlying issue is insufficient sanitization of HTML mail, allowing remote attackers to inject script/HTML in a user session. Related advisorie...

4.3CVSS6.6AI score0.01776EPSS
CVE
CVE
added 2009/08/25 5:0 p.m.78 views

CVE-2009-2964

CVE-2009-2964 : Multiple CSRF vulnerabilities in SquirrelMail 1.4.19 and earlier, and NasMail before 1.7, allow remote attackers to hijack user authentication via various forms (send message, change preferences, etc.). Affected components include numerous PHP scripts (functions/mailbox_display.ph...

6.8CVSS7.7AI score0.01517EPSS
CVE
CVE
added 2011/07/17 8:0 p.m.77 views

CVE-2011-2753

SquirrelMail vulnerable: CSRF flaws in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack a user’s session via CSRF on the Empty Trash and Index Order pages (CVE-2011-2753; related CVEs also listed). Impact is described as authentication hijack of unspecified victims; no exploitatio...

6.8CVSS6.6AI score0.01081EPSS
CVE
CVE
added 2005/03/28 5:0 a.m.74 views

CVE-2002-1648

CVE-2002-1648 describes a CSRF vulnerability in SquirrelMail’s compose.php prior to version 1.2.3. An attacker can trigger a request via an IMG URL with manipulated send_to and subject parameters to send mail as another user, exploiting cookie-based authentication. Affected software: SquirrelMail...

7.5CVSS6.7AI score0.03437EPSS
CVE
CVE
added 2009/05/14 5:0 p.m.74 views

CVE-2009-1580

CVE-2009-1580 refers to a session fixation vulnerability in SquirrelMail prior to version 1.4.18 . The issue allows remote attackers to hijack web sessions by supplying a crafted cookie, enabling session takeover with the privileges of the affected user. The provided documents explicitly identify...

5.8CVSS7.1AI score0.01855EPSS
CVE
CVE
added 2009/01/21 8:0 p.m.73 views

CVE-2009-0030

CVE-2009-0030 corresponds to a session cookie handling flaw in SquirrelMail 1.4.8 patched by Red Hat/Miracle Linux advisories. The root cause was an incorrect fix for CVE-2008-3663, causing the SQMSESSID cookie value to be identical across sessions. This enables remote authenticated users to acce...

6.5CVSS7.2AI score0.01675EPSS
CVE
CVE
added 2009/05/22 8:0 p.m.73 views

CVE-2009-1381

CVE-2009-1381 relates to SquirrelMail prior to version 1.4.19-1 on Debian and possibly other OSes, where the map_yp_alias function in functions/imap_general.php allows remote execution of arbitrary commands via shell metacharacters in a username string used by ypmatch. Connected advisories confir...

6.8CVSS7.5AI score0.02944EPSS
CVE
CVE
added 2004/06/03 4:0 a.m.72 views

CVE-2004-0520

CVE-2004-0520 is a cross-site scripting (XSS) vulnerability in mime.php of SquirrelMail prior to 1.4.3. The issue allows remote attackers to inject arbitrary HTML and script via the content-type mail header, demonstrated via read_body.php. The vulnerability affects the webmail client, with an att...

6.8CVSS5.6AI score0.07134EPSS
CVE
CVE
added 2020/06/20 12:7 p.m.72 views

CVE-2020-14933

CVE-2020-14933 affects SquirrelMail 1.4.22. compose.php calls unserialize on the attachments value derived from HTTP POST data, enabling an unsafe deserialization path. The vendor disputes that the required PHP object-injection conditions are met (presence of a PHP magic method and attack-relevan...

8.8CVSS9.4AI score0.01415EPSS
CVE
CVE
added 2011/07/14 11:0 p.m.71 views

CVE-2010-4555

SquirrelMail (PHP webmail) versions up to 1.4.21 and earlier are affected by multiple XSS vulnerabilities (CVE-2010-4555, among others) via vectors including dropdown lists, the SquirrelSpell > character, and errors on the Index Order page. Open-source advisories and Nessus/OpenVAS feeds indic...

4.3CVSS6AI score0.02348EPSS
CVE
CVE
added 2011/07/17 8:0 p.m.70 views

CVE-2011-2752

SquirrelMail 1.4.21 and earlier are affected by a CRLF injection (via a newline in input) that allows remote attackers to modify or add user preference values. This is documented as CVE-2011-2752. The issue arises from handling input in preference fields; John Doe? No vendor.

5.8CVSS6.2AI score0.01935EPSS
CVE
CVE
added 2018/08/05 6:0 p.m.69 views

CVE-2018-14950

The CVE-2018-14950 entry applies to SquirrelMail up to version 1.4.22, where the mail message display page is vulnerable to XSS via an SVG attack (). The issue is a client‑side security flaw in how HTML/SVG content is rendered within the mail display view, enabling script execution in the applica...

6.1CVSS5.9AI score0.01426EPSS
CVE
CVE
added 2018/08/05 6:0 p.m.67 views

CVE-2018-14955

CVE-2018-14955 affects SquirrelMail prior to 1.4.23; the mail display page (through 1.4.22) is vulnerable to XSS via SVG animations (animate to attribute). Debian reports a fixed package at squirrelmail 2:1.4.23~svn20120406-2+deb8u3; other disclosures note unpatched status in some distros (e.g., ...

6.1CVSS5.9AI score0.01426EPSS
CVE
CVE
added 2007/05/11 3:55 a.m.66 views

CVE-2007-2589

CVE-2007-2589 : A CSRF vulnerability in SquirrelMail 1.4.0–1.4.9a (compose.php) lets an attacker induce actions (sending mail) from an arbitrary user via data in an IMG SRC attribute. This is described across multiple advisories (RHSA-2007:0358, CentOS/RHSA backport, openSUSE/SUSE ESP). The CVSS ...

5CVSS6.6AI score0.01374EPSS
CVE
CVE
added 2008/09/24 2:0 p.m.66 views

CVE-2008-3663

CVE-2008-3663 summary (from provided docs): SquirrelMail prior to the patch release had a session cookie that was not marked Secure during HTTPS, potentially allowing cookie exposure to remote attackers via HTTP requests. The linked advisories reference SquirrelMail 1.4.15 and note that updates/p...

5CVSS7.3AI score0.02159EPSS
CVE
CVE
added 2018/08/05 6:0 p.m.66 views

CVE-2018-14953

CVE-2018-14953 affects SquirrelMail up to version 1.4.22, where the mail display page is vulnerable to XSS via crafted content (notably vectors involving and related elements). Debian security advisory confirms multiple XSS CVEs including CVE-2018-14953 and notes that fixes are available in squi...

6.1CVSS5.9AI score0.01426EPSS
CVE
CVE
added 2007/12/14 7:0 p.m.64 views

CVE-2007-6348

CVE-2007-6348 affects SquirrelMail 1.4.11 and 1.4.12 as distributed on SourceForge before 2007-12-13, where an external modification introduced a PHP remote file inclusion vulnerability allowing remote code execution. The vulnerability is categorized with CVSS v2 base score 6.8 (Network attack ve...

6.8CVSS7.3AI score0.03914EPSS
CVE
CVE
added 2018/08/05 6:0 p.m.64 views

CVE-2018-14951

CVE-2018-14951 affects SquirrelMail up to version 1.4.22, where a stored XSS is possible in the mail display page via a crafted form action using a data:text payload. Public disclosures and Debian security advisory confirm the issue and list affected packages; Debian fixes indicate upgrade to squ...

6.1CVSS5.9AI score0.01426EPSS
CVE
CVE
added 2020/06/20 12:7 p.m.64 views

CVE-2020-14932

CVE-2020-14932 affects SquirrelMail 1.4.22, where compose.php unserializes the $mailtodata value originating from an HTTP GET request (related to mailto.php). The underlying issue is unsafe deserialization in PHP, enabling potentially arbitrary object injection. CVSS vectors in the entry indicate...

9.8CVSS9.3AI score0.01431EPSS
CVE
CVE
added 2007/05/13 11:0 p.m.63 views

CVE-2007-2631

Technical details about CVE-2007-2631 are not publicly provided in the supplied documents. Available references discuss related CVEs (1262, 2589) and SquirrelMail mitigations, but no explicit details for CVE-2007-2631.

7.5CVSS6.8AI score0.01382EPSS
CVE
CVE
added 2018/08/05 6:0 p.m.59 views

CVE-2018-14952

CVE-2018-14952 affects SquirrelMail up to 1.4.22 with XSS via crafted HTML payloads on the mail display page (e.g., ). Debian’s DLA-1484-1 notes fixed package squirrelmail 2:1.4.23~svn20120406-2+deb8u3 for Jessie, indicating remediation via upgrade. The connected Nessus/OpenVAS entries confirm un...

6.1CVSS5.9AI score0.01426EPSS
Total number of security vulnerabilities64