CVSS: 6.8EPSS: 0%CPEs: 91EXPL: 0CVE-2011-2753 – SquirrelMail: CSRF in the empty trash feature and in Index Order page
https://notcve.org/view.php?id=CVE-2011-2753
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the empty trash implementation and (2) the Index Order (aka options_order) page, a different issue than CVE-2010-4555. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en SquirrelMail v1.4.21 y anteriores permite a atacantes remotos secuestrar la autenticación de las víctimas a través de vectores no especificados participación (1) la implementación de la basura y (2) con la página Index Order (también conocido como options_order), una problema diferente a CVE-2010-4555. • http://rhn.redhat.com/errata/RHSA-2012-0103.html http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14119 http://www.debian.org/security/2011/dsa-2291 http://www.mandriva.com/security/advisories?name=MDVSA-2011:123 https://bugzilla.redhat.com/show_bug.cgi?id=720694 https://exchange.xforce.ibmcloud.com/vulnerabilities/68586 https://access.redhat.com/security/cve/CVE-2011-2753 https://bugzilla.redhat.com/show_bug.cgi?id=722832 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 91EXPL: 0CVE-2010-4554 – SquirrelMail: Prone to clickjacking attacks
https://notcve.org/view.php?id=CVE-2010-4554
functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. functions/page_header.php en SquirrelMail v1.4.21 y anteriores no previene el renderizado de páginas dentro de un marco en un documento HTML de terceros, haciéndolo más fácil a atacantes remotos para realizar ataques de clickjacking mediante un sitio web manipulado. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/page_header.php?view=patch&r1=14117&r2=14116&pathrev=14117 http://support.apple.com/kb/HT5130 http://www.debian.org/security/2011/dsa-2291 http://www.mandriva.com/security/advisories?name=MDVSA-2011:123 http://www.squirrelmail.org/security/issue/2011-07-12 https: • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 91EXPL: 0CVE-2010-4555 – SquirrelMail: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2010-4555
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors associated with the Index Order (aka options_order) page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en SquirrelMail v1.4.21 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores que comprenden (1) listas desplegables de selección, (2) caracter > (mayor que) en el plugin SquirrelSpell spellchecking, y (3) errores asociados con la página Index Order (también conocido como options_order) • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14119 http://support.apple.com/kb/HT5130 http://www.debian.org/security/2011/dsa-2291 http://www.mandriva.com/security/advisories?name=MDVSA-2011:123 http://www.squirrelmail.org/security/issue/2011-07-11 https://bugzilla.redhat.com/show_bug.cgi?id=720694 https://exchange.xforce.ib • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 91EXPL: 0CVE-2011-2023 – SquirrelMail: XSS in <style> tag handling
https://notcve.org/view.php?id=CVE-2011-2023
Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en functions/mime.php en SquirrelMail anterior a v.1.4.22 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un elemento STYLE en un correo electrónico. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://securitytracker.com/id?1025766 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14121 http://support.apple.com/kb/HT5130 http://www.debian.org/security/2011/dsa-2291 http://www.mandriva.com/security/advisories?name=MDVSA-2011:123 http://www.squirrelmail.org/security/issue/2011-07-10 https://bugzilla.redhat.com/show_bug.cgi&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 11%CPEs: 54EXPL: 0CVE-2010-2813 – SquirrelMail: DoS (disk space consumption) by random IMAP login attempts with 8-bit characters in the password
https://notcve.org/view.php?id=CVE-2010-2813
functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. functions/imap_general.php en SquirrelMail anterior a v1.4.21 no maneja adecuadamente los caracteres de 8-bits en contraseñas, lo cual permite a atacantes remotos causar una denegación de servicio (consumo de disco) realizando muchos intentos de inicio de sesión IMAP con diferentes nombres de usuario, llevando a la creación de muchos ficheros de preferencias. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045372.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045383.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://secunia.com/advisories/40964 http://secunia.com/advisories/40971 http://squirrelmail.org/security/issue/2010-07-23 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail&# • CWE-399: Resource Management Errors •