Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
gentooGentoo FoundationGLSA-200411-25
HistoryNov 17, 2004 - 12:00 a.m.

SquirrelMail: Encoded text XSS vulnerability

2004-11-1700:00:00
Gentoo Foundation
security.gentoo.org
15

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.027

Percentile

90.5%

JSON

Background

SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP, and can optionally be installed with SQL support.

Description

SquirrelMail fails to properly sanitize certain strings when decoding specially-crafted headers.

Impact

By enticing a user to read a specially-crafted e-mail, an attacker can execute arbitrary scripts running in the context of the victim’s browser. This could lead to a compromise of the user’s webmail account, cookie theft, etc.

Workaround

There is no known workaround at this time.

Resolution

All SquirrelMail users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=mail-client/squirrelmail-1.4.3a-r2"

Note: Users with the vhosts USE flag set should manually use webapp-config to finalize the update.

OSVersionArchitecturePackageVersionFilename
Gentooanyallmail-client/squirrelmail< 1.4.3a-r2UNKNOWN

Related

openvas 6
redhat 1
nessus 7
ubuntucve 1
cve 1
cvelist 1
nvd 1
securityvulns 1
freebsd 1
openvas
openvas
FreeBSD Ports: ja-squirrelmail
2008-09-04 00:00:00
Gentoo Security Advisory GLSA 200411-25 (SquirrelMail)
2008-09-24 00:00:00
Gentoo Security Advisory GLSA 200411-25 (SquirrelMail)
2008-09-24 00:00:00
redhat
redhat
(RHSA-2004:654) squirrelmail security update
2004-12-23 00:00:00
nessus
nessus
RHEL 3 : squirrelmail (RHSA-2004:654)
2004-12-27 00:00:00
GLSA-200411-25 : SquirrelMail: Encoded text XSS vulnerability
2004-11-17 00:00:00
SquirrelMail decodeHeader Arbitrary HTML Injection
2004-11-13 00:00:00
ubuntucve
ubuntucve
CVE-2004-1036
2005-03-01 00:00:00
cve
cve
CVE-2004-1036
2005-03-01 05:00:00
cvelist
cvelist
CVE-2004-1036
2004-11-16 05:00:00
nvd
nvd
CVE-2004-1036
2005-03-01 05:00:00
securityvulns
securityvulns
SquirrelMail Security Advisory
2005-01-30 00:00:00
freebsd
freebsd
squirrelmail -- XSS and remote code injection vulnerabilities
2005-01-29 00:00:00

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.027

Percentile

90.5%

JSON
Related for GLSA-200411-25
openvas6redhat1nessus7ubuntucve1cve1cvelist1nvd1securityvulns1freebsd1