CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14932
https://notcve.org/view.php?id=CVE-2020-14932
compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php. El archivo compose.php en SquirrelMail versión 1.4.22, invoca la falta de serialización del valor de $mailtodata, que se origina a partir de una petición HTTP GET. Esto está relacionado con mailto.php • https://www.openwall.com/lists/oss-security/2020/06/20/1 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14933
https://notcve.org/view.php?id=CVE-2020-14933
compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded). ** EN DISPUTA ** compose.php en SquirrelMail 1.4.22 llama a unserialize para el valor $attachments, que se origina en una petición HTTP POST. NOTA: el proveedor disputa esto porque no se cumplen estas dos condiciones para la inyección de objetos PHP: existencia de un método mágico PHP (como __wakeup o __destruct), y cualquier clase relevante para el ataque debe ser declarada antes de llamar a unserialize (o debe ser autocargada). . • https://www.openwall.com/lists/oss-security/2020/06/20/1 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 1%CPEs: 2EXPL: 3CVE-2019-12970 – SquirrelMail 1.4.22 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-12970
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element. Se detectó un XSS en SquirrelMail hasta la versión 1.4.22 y versión 1.5.x hasta 1.5.2. Debido al manejo inapropiado de los elementos de tipo RCDATA y RAWTEXT, el mecanismo de saneamiento incorporado puede ser omitido. • http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html https://lists.debian.org/debian-lts-announce/2019/08/msg00000.html https://seclists.org/bugtraq/2019/Jul/0 https://seclists.org/bugtraq/2019/Jul/50 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14951
https://notcve.org/view.php?id=CVE-2018-14951
The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante un ataque " • http://www.openwall.com/lists/oss-security/2018/07/26/2 https://bugs.debian.org/905023 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5FP5O562A4FM5TCFNEW73SS6PZONSAC https://sourceforge.net/p/squirrelmail/bugs/2831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14955
https://notcve.org/view.php?id=CVE-2018-14955
The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute). La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante animaciones SVG (animate to attribute). • http://www.openwall.com/lists/oss-security/2018/07/26/2 https://bugs.debian.org/905023 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5FP5O562A4FM5TCFNEW73SS6PZONSAC https://sourceforge.net/p/squirrelmail/bugs/2831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •