CVSS: 4.3EPSS: 0%CPEs: 91EXPL: 0CVE-2010-4555 – SquirrelMail: Multiple XSS flaws
https://notcve.org/view.php?id=CVE-2010-4555
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors associated with the Index Order (aka options_order) page. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en SquirrelMail v1.4.21 y anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores que comprenden (1) listas desplegables de selección, (2) caracter > (mayor que) en el plugin SquirrelSpell spellchecking, y (3) errores asociados con la página Index Order (también conocido como options_order) • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14119 http://support.apple.com/kb/HT5130 http://www.debian.org/security/2011/dsa-2291 http://www.mandriva.com/security/advisories?name=MDVSA-2011:123 http://www.squirrelmail.org/security/issue/2011-07-11 https://bugzilla.redhat.com/show_bug.cgi?id=720694 https://exchange.xforce.ib • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 11%CPEs: 54EXPL: 0CVE-2010-2813 – SquirrelMail: DoS (disk space consumption) by random IMAP login attempts with 8-bit characters in the password
https://notcve.org/view.php?id=CVE-2010-2813
functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. functions/imap_general.php en SquirrelMail anterior a v1.4.21 no maneja adecuadamente los caracteres de 8-bits en contraseñas, lo cual permite a atacantes remotos causar una denegación de servicio (consumo de disco) realizando muchos intentos de inicio de sesión IMAP con diferentes nombres de usuario, llevando a la creación de muchos ficheros de preferencias. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045372.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045383.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://secunia.com/advisories/40964 http://secunia.com/advisories/40971 http://squirrelmail.org/security/issue/2010-07-23 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail&# • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2010-1637 – SquirrelMail: Mail Fetch plugin -- port-scans via non-standard POP3 server ports
https://notcve.org/view.php?id=CVE-2010-1637
The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. El plugin Mail Fetch en SquirrelMail 1.4.20 y versiones anteriores, permite a atacantes remotos autenticados eludir las restricciones del firewall y usar SquirrelMail como un proxy para escanear redes internas mediante un número de puerto POP3 modificado. • http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69 http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043239.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043258.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043261.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http& • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 86EXPL: 0CVE-2009-2964 – squirrelmail: CSRF issues in all forms
https://notcve.org/view.php?id=CVE-2009-2964
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados(CSRF) en SquirrelMail v1.4.19 y anteriores permite a atacantes remotos secuestrar la autenticacion de victimas inespecificas a traves de caracteristicas tales como "enviar mensaje" y "cambiar preferencias", relacionado con (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, y (17) src/vcard.php. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818 http://download.gna.org/nasmail/nasmail-1.7.zip http://jvn.jp/en/jp/JVN30881447/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://osvdb.org/60469 http://secunia.com/advisories/34627 http://secunia.com/advisories/36363 http://secunia.com/advisories/37415 http://secunia.com/advisories/40220 http://secunia& • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 4%CPEs: 21EXPL: 1CVE-2009-1381
https://notcve.org/view.php?id=CVE-2009-1381
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. La función map_yp_alias en functions/imap_general.php en SquirrelMail anteriores a v1.4.19-1 en Debian GNU/Linux, y posiblemente otras versiones y sistemas operativos, permite a atacantes remotos ejecutar comandos de su elección a través de metacaracteres shell en una cadena de nombre de usuario, que es usada por el programa ypmatch. NOTA: Esta característica existe por una resolución deficiente de la vulnerabilidad CVE-2009-1579. • http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff http://secunia.com/advisories/35140 http://www.debian.org/security/2009/dsa-1802 http://www.mandriva.com/security/advisories?name=MDVSA-2009:122 http://www.securityfocus.com/archive/1/503718/100/0/threaded https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01195.html https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01202.html •