76 results (0.008 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php. El archivo compose.php en SquirrelMail versión 1.4.22, invoca la falta de serialización del valor de $mailtodata, que se origina a partir de una petición HTTP GET. Esto está relacionado con mailto.php • https://www.openwall.com/lists/oss-security/2020/06/20/1 • CWE-502: Deserialization of Untrusted Data •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded). ** EN DISPUTA ** compose.php en SquirrelMail 1.4.22 llama a unserialize para el valor $attachments, que se origina en una petición HTTP POST. NOTA: el proveedor disputa esto porque no se cumplen estas dos condiciones para la inyección de objetos PHP: existencia de un método mágico PHP (como __wakeup o __destruct), y cualquier clase relevante para el ataque debe ser declarada antes de llamar a unserialize (o debe ser autocargada). . • https://www.openwall.com/lists/oss-security/2020/06/20/1 • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords. Squirrelmail versión 4.0, utiliza el algoritmo hash MD5 obsoleto para las contraseñas. • http://www.openwall.com/lists/oss-security/2012/12/04/6 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 3

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element. Se detectó un XSS en SquirrelMail hasta la versión 1.4.22 y versión 1.5.x hasta 1.5.2. Debido al manejo inapropiado de los elementos de tipo RCDATA y RAWTEXT, el mecanismo de saneamiento incorporado puede ser omitido. • http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html https://lists.debian.org/debian-lts-announce/2019/08/msg00000.html https://seclists.org/bugtraq/2019/Jul/0 https://seclists.org/bugtraq/2019/Jul/50 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante un ataque " • http://www.openwall.com/lists/oss-security/2018/07/26/2 https://bugs.debian.org/905023 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5FP5O562A4FM5TCFNEW73SS6PZONSAC https://sourceforge.net/p/squirrelmail/bugs/2831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •