CVE-2011-2023 – SquirrelMail: XSS in <style> tag handling
https://notcve.org/view.php?id=CVE-2011-2023
Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en functions/mime.php en SquirrelMail anterior a v.1.4.22 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un elemento STYLE en un correo electrónico. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://securitytracker.com/id?1025766 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14121 http://support.apple.com/kb/HT5130 http://www.debian.org/security/2011/dsa-2291 http://www.mandriva.com/security/advisories?name=MDVSA-2011:123 http://www.squirrelmail.org/security/issue/2011-07-10 https://bugzilla.redhat.com/show_bug.cgi • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2813 – SquirrelMail: DoS (disk space consumption) by random IMAP login attempts with 8-bit characters in the password
https://notcve.org/view.php?id=CVE-2010-2813
functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. functions/imap_general.php en SquirrelMail anterior a v1.4.21 no maneja adecuadamente los caracteres de 8-bits en contraseñas, lo cual permite a atacantes remotos causar una denegación de servicio (consumo de disco) realizando muchos intentos de inicio de sesión IMAP con diferentes nombres de usuario, llevando a la creación de muchos ficheros de preferencias. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045372.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045383.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://secunia.com/advisories/40964 http://secunia.com/advisories/40971 http://squirrelmail.org/security/issue/2010-07-23 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail • CWE-399: Resource Management Errors •
CVE-2010-1637 – SquirrelMail: Mail Fetch plugin -- port-scans via non-standard POP3 server ports
https://notcve.org/view.php?id=CVE-2010-1637
The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. El plugin Mail Fetch en SquirrelMail 1.4.20 y versiones anteriores, permite a atacantes remotos autenticados eludir las restricciones del firewall y usar SquirrelMail como un proxy para escanear redes internas mediante un número de puerto POP3 modificado. • http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69 http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043239.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043258.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043261.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http& • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2009-2964 – squirrelmail: CSRF issues in all forms
https://notcve.org/view.php?id=CVE-2009-2964
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados(CSRF) en SquirrelMail v1.4.19 y anteriores permite a atacantes remotos secuestrar la autenticacion de victimas inespecificas a traves de caracteristicas tales como "enviar mensaje" y "cambiar preferencias", relacionado con (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, y (17) src/vcard.php. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818 http://download.gna.org/nasmail/nasmail-1.7.zip http://jvn.jp/en/jp/JVN30881447/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://osvdb.org/60469 http://secunia.com/advisories/34627 http://secunia.com/advisories/36363 http://secunia.com/advisories/37415 http://secunia.com/advisories/40220 http://secunia& • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2009-1381
https://notcve.org/view.php?id=CVE-2009-1381
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. La función map_yp_alias en functions/imap_general.php en SquirrelMail anteriores a v1.4.19-1 en Debian GNU/Linux, y posiblemente otras versiones y sistemas operativos, permite a atacantes remotos ejecutar comandos de su elección a través de metacaracteres shell en una cadena de nombre de usuario, que es usada por el programa ypmatch. NOTA: Esta característica existe por una resolución deficiente de la vulnerabilidad CVE-2009-1579. • http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff http://secunia.com/advisories/35140 http://www.debian.org/security/2009/dsa-1802 http://www.mandriva.com/security/advisories?name=MDVSA-2009:122 http://www.securityfocus.com/archive/1/503718/100/0/threaded https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01195.html https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01202.html •