CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
83.8%
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2.
Due to improper handling of RCDATA and RAWTEXT type elements, the built-in
sanitization mechanism can be bypassed. Malicious script content from HTML
e-mail can be executed within the application context via crafted use of
(for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | squirrelmail | < 2:1.4.23~svn20120406-2+deb8u3ubuntu0.14.04.1~esm1 | UNKNOWN |
ubuntu | 16.04 | noarch | squirrelmail | < 2:1.4.23~svn20120406-2+deb8u3ubuntu0.16.04.2 | UNKNOWN |
packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html
launchpad.net/bugs/cve/CVE-2019-12970
nvd.nist.gov/vuln/detail/CVE-2019-12970
seclists.org/bugtraq/2019/Jul/0
security-tracker.debian.org/tracker/CVE-2019-12970
ubuntu.com/security/notices/USN-4669-1
www.cve.org/CVERecord?id=CVE-2019-12970
www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
83.8%