Vulnerabilities > Squirrelmail
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2009-08-25 | CVE-2009-2964 | Cross-Site Request Forgery (CSRF) vulnerability in Squirrelmail Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | 6.8 |
2009-05-14 | CVE-2009-1581 | Cross-Site Scripting vulnerability in Squirrelmail functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message. | 4.3 |
2009-05-14 | CVE-2009-1580 | Improper Authentication vulnerability in Squirrelmail Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. | 5.8 |
2009-05-14 | CVE-2009-1579 | Code Injection vulnerability in Squirrelmail The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. | 6.8 |
2009-05-14 | CVE-2009-1578 | Cross-Site Scripting vulnerability in Squirrelmail Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). | 4.3 |
2008-12-05 | CVE-2008-2379 | Cross-Site Scripting vulnerability in Squirrelmail Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. | 4.3 |
2008-09-24 | CVE-2008-3663 | Cryptographic Issues vulnerability in Squirrelmail 1.4.15 Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | 5.0 |
2007-12-14 | CVE-2007-6348 | Code Injection vulnerability in Squirrelmail 1.4.11/1.4.12 SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code. | 6.8 |
2007-07-15 | CVE-2007-3779 | File-Upload vulnerability in Squirrelmail GPG Plugin 2.1 PHP local file inclusion vulnerability in gpg_pop_init.php in the G/PGP (GPG) Plugin before 20070707 for Squirrelmail allows remote attackers to include and execute arbitrary local files, related to the MOD parameter. network squirrelmail | 4.3 |
2007-07-15 | CVE-2007-3778 | Remote Command Execution vulnerability in SquirrelMail G/PGP Encryption Plug-in The G/PGP (GPG) Plugin 2.0, and 2.1dev before 20060912, for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the messageSignedText parameter to the gpg_check_sign_pgp_mime function in gpg_hook_functions.php. | 7.5 |