CVSS: 6.1EPSS: 2%CPEs: 60EXPL: 1CVE-2009-1578 – SquirrelMail: Multiple cross site scripting issues
https://notcve.org/view.php?id=CVE-2009-1578
14 May 2009 — Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos inyectar web script o ... • http://download.gna.org/nasmail/nasmail-1.7.zip • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 60EXPL: 0CVE-2009-1579 – SquirrelMail: Server-side code injection in map_yp_alias username map
https://notcve.org/view.php?id=CVE-2009-1579
14 May 2009 — The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. La función map_yp_alias en functions/imap_general.php en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos ejecutar comandos de su elección a través de metacaracteres de intérprete de comandos en una cadena de nombre de usuario que está utiliza... • http://download.gna.org/nasmail/nasmail-1.7.zip • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 1%CPEs: 72EXPL: 0CVE-2009-1580 – SquirrelMail: Session fixation vulnerability
https://notcve.org/view.php?id=CVE-2009-1580
14 May 2009 — Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. Vulnerabilidad de fijación de sesión en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos secuestrar sesiones web a través de una cookie manipulada. • http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html • CWE-287: Improper Authentication CWE-384: Session Fixation •
CVSS: 6.1EPSS: 1%CPEs: 60EXPL: 0CVE-2009-1581 – SquirrelMail: CSS positioning vulnerability
https://notcve.org/view.php?id=CVE-2009-1581
14 May 2009 — functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message. functions/mime.php en SquirrelMail versiones anteriores a v1.4.18 no protege el contenido de la aplicación de Cascading Style Sheets (CSS) posicionado en mensajes de correo HTML, lo cual permite a atacantes... • http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2009-0030 – squirrelmail: session management flaw
https://notcve.org/view.php?id=CVE-2009-0030
21 Jan 2009 — A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663. Un parche para Red Hat SquirrelMail v1.4.8 establece el mismo valor de la cookie SQMSESSID para todas las sesiones, lo que permite a usuarios autenticados r... • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 1%CPEs: 66EXPL: 0CVE-2008-2379 – squirrelmail: XSS issue caused by an insufficient html mail sanitation
https://notcve.org/view.php?id=CVE-2008-2379
05 Dec 2008 — Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en SquirrelMail anteriores a la v1.4.17 permitiría a atacantes remotos inyectar secuencia de código web o HTML a su elección a través de un hiperenlace manipulado en la parte HTML de un mensaje de correo electrónico. • http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2008-3663 – squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies
https://notcve.org/view.php?id=CVE-2008-3663
24 Sep 2008 — Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesión en una sesión https, lo que podría provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie. • http://int21.de/cve/CVE-2008-3663-squirrelmail.html • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 3%CPEs: 2EXPL: 0CVE-2007-6348
https://notcve.org/view.php?id=CVE-2007-6348
14 Dec 2007 — SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code. SquirrelMail versiones 1.4.11 y 1.4.12, distribuidas en sourceforge.net versiones anteriores a 20071213, se han modificado externamente para crear un Caballo de Troya que introduce una vulnerabilidad de inclusión remota de archivos PHP, que permite a los atac... • http://marc.info/?l=bugtraq&m=119765643909825&w=2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2007-3634
https://notcve.org/view.php?id=CVE-2007-3634
10 Jul 2007 — Unspecified vulnerability in the G/PGP (GPG) Plugin 2.0 for Squirrelmail 1.4.10a allows remote authenticated users to execute arbitrary commands via unspecified vectors, possibly related to the passphrase variable in the gpg_sign_attachment function, aka ZD-00000004. this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other C... • http://lists.immunitysec.com/pipermail/dailydave/2007-July/004448.html •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2007-3635
https://notcve.org/view.php?id=CVE-2007-3635
10 Jul 2007 — Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-1924, CVE-2006-4169, or CVE-2007-3634. Múltiples vulnerabilidades no especificadas en el plugin G/PGP (GPG) versiones anteriores a 2.1 para Squirrelmail, podrían permitir a "local authenticated users" inyectar ciertos comandos por medio de vectores no especificados. NOTA: esto podría solaparse ... • http://osvdb.org/45789 •