6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.016 Low
EPSS
Percentile
87.4%
CentOS Errata and Security Advisory CESA-2009:1066
SquirrelMail is a standards-based webmail package written in PHP.
A server-side code injection flaw was found in the SquirrelMail
“map_yp_alias” function. If SquirrelMail was configured to retrieve a
user’s IMAP server address from a Network Information Service (NIS) server
via the “map_yp_alias” function, an unauthenticated, remote attacker using
a specially-crafted username could use this flaw to execute arbitrary code
with the privileges of the web server. (CVE-2009-1579)
Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An
attacker could construct a carefully crafted URL, which once visited by an
unsuspecting user, could cause the user’s web browser to execute malicious
script in the context of the visited SquirrelMail web page. (CVE-2009-1578)
It was discovered that SquirrelMail did not properly sanitize Cascading
Style Sheets (CSS) directives used in HTML mail. A remote attacker could
send a specially-crafted email that could place mail content above
SquirrelMail’s controls, possibly allowing phishing and cross-site
scripting attacks. (CVE-2009-1581)
Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-May/078107.html
https://lists.centos.org/pipermail/centos-announce/2009-May/078108.html
https://lists.centos.org/pipermail/centos-announce/2009-May/078109.html
https://lists.centos.org/pipermail/centos-announce/2009-May/078110.html
Affected packages:
squirrelmail
Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1066
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 3 | noarch | squirrelmail | < 1.4.8-13.el3.centos.1 | squirrelmail-1.4.8-13.el3.centos.1.noarch.rpm |
CentOS | 3 | noarch | squirrelmail | < 1.4.8-13.el3.centos.1 | squirrelmail-1.4.8-13.el3.centos.1.noarch.rpm |
CentOS | 3 | noarch | squirrelmail | < 1.4.8-13.el3.centos.1 | squirrelmail-1.4.8-13.el3.centos.1.noarch.rpm |
CentOS | 3 | noarch | squirrelmail | < 1.4.8-13.el3.centos.1 | squirrelmail-1.4.8-13.el3.centos.1.noarch.rpm |
CentOS | 5 | noarch | squirrelmail | < 1.4.8-5.el5.centos.7 | squirrelmail-1.4.8-5.el5.centos.7.noarch.rpm |
CentOS | 5 | noarch | squirrelmail | < 1.4.8-5.el5.centos.7 | squirrelmail-1.4.8-5.el5.centos.7.noarch.rpm |
CentOS | 5 | noarch | squirrelmail | < 1.4.8-5.el5.centos.7 | squirrelmail-1.4.8-5.el5.centos.7.noarch.rpm |
CentOS | 5 | noarch | squirrelmail | < 1.4.8-5.el5.centos.7 | squirrelmail-1.4.8-5.el5.centos.7.noarch.rpm |