SquirrelMail is vulnerable to cross-site scripting. The vulnerability is possible through bypassing the buit-in sanitization due to improper handling of RCDATA and RAWTEXT type elements. An attacker may execute malicious script content from HTML e-mail within the application context.
packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html
git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2019-12970
lists.debian.org/debian-lts-announce/2019/08/msg00000.html
seclists.org/bugtraq/2019/Jul/0
seclists.org/bugtraq/2019/Jul/50
www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt