Squirrelmail Security Vulnerabilities and Issues — Squirrelmail CVE List

Lucene search

SquirrelmailSquirrelmail

17 matches found

CVE•added 2005/07/13 4:0 a.m.•102 views

CVE-2005-2095

options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files.

4.3CVSS8.8AI score0.1115EPSS

CVE•added 2005/02/06 5:0 a.m.•93 views

CVE-2005-0104

Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables.

4.3CVSS5.4AI score0.01372EPSS

CVE•added 2006/02/24 12:2 a.m.•91 views

CVE-2006-0195

Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/" and " /" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers i...

4.3CVSS5.5AI score0.02742EPSS

CVE•added 2006/02/24 12:2 a.m.•90 views

CVE-2006-0188

webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS.

4.3CVSS5.4AI score0.01359EPSS

CVE•added 2005/06/20 4:0 a.m.•87 views

CVE-2005-1769

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message.

4.3CVSS8.1AI score0.01697EPSS

CVE•added 2009/05/14 5:30 p.m.•75 views

CVE-2009-1578

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3)...

4.3CVSS6.6AI score0.02924EPSS

CVE•added 2011/07/14 11:55 p.m.•74 views

CVE-2011-2023

Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message.

4.3CVSS5.9AI score0.00603EPSS

CVE•added 2011/07/14 11:55 p.m.•68 views

CVE-2010-4554

functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.

4.3CVSS6AI score0.00472EPSS

CVE•added 2009/05/14 5:30 p.m.•63 views

CVE-2009-1581

functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted me...

4.3CVSS6.6AI score0.01286EPSS

CVE•added 2008/12/05 12:30 a.m.•58 views

CVE-2008-2379

Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.

4.3CVSS6.6AI score0.0126EPSS

CVE•added 2007/05/11 4:20 a.m.•56 views

CVE-2007-1262

Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when vi...

4.3CVSS5.4AI score0.01656EPSS

CVE•added 2011/07/14 11:55 p.m.•53 views

CVE-2010-4555

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors a...

4.3CVSS6AI score0.00895EPSS

CVE•added 2007/07/10 12:30 a.m.•41 views

CVE-2007-3635

Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-1924, CVE-2006-4169, or CVE-2007-3634.

4.3CVSS6.5AI score0.09756EPSS

CVE•added 2005/07/14 4:0 a.m.•40 views

CVE-2002-2086

Multiple cross-site scripting (XSS) vulnerabilities in magicHTML of SquirrelMail before 1.2.6 allow remote attackers to inject arbitrary web script or HTML via (1) "<

4.3CVSS6AI score0.00675EPSS

CVE•added 2002/11/29 5:0 a.m.•36 views

CVE-2002-1276

An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks.

4.3CVSS5.5AI score0.00636EPSS

CVE•added 2005/03/28 5:0 a.m.•36 views

CVE-2002-1649

Cross-site scripting (XSS) vulnerability in read_body.php in SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary Javascript via a javascript: URL in an IMG tag.

4.3CVSS6.2AI score0.00764EPSS

CVE•added 2006/07/18 3:47 p.m.•33 views

CVE-2006-3665

SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack cookies in src/redirect.php via unknown vectors. NOTE: while "cookie theft" is frequently associated with XSS, the vendor disclosure is too vague to be certain of this.

4.3CVSS6.6AI score0.00329EPSS