CVSS: 6.8EPSS: 4%CPEs: 21EXPL: 1CVE-2009-1381
https://notcve.org/view.php?id=CVE-2009-1381
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. La función map_yp_alias en functions/imap_general.php en SquirrelMail anteriores a v1.4.19-1 en Debian GNU/Linux, y posiblemente otras versiones y sistemas operativos, permite a atacantes remotos ejecutar comandos de su elección a través de metacaracteres shell en una cadena de nombre de usuario, que es usada por el programa ypmatch. NOTA: Esta característica existe por una resolución deficiente de la vulnerabilidad CVE-2009-1579. • http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff http://secunia.com/advisories/35140 http://www.debian.org/security/2009/dsa-1802 http://www.mandriva.com/security/advisories?name=MDVSA-2009:122 http://www.securityfocus.com/archive/1/503718/100/0/threaded https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01195.html https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01202.html •
CVSS: 4.3EPSS: 0%CPEs: 60EXPL: 1CVE-2009-1578 – SquirrelMail: Multiple cross site scripting issues
https://notcve.org/view.php?id=CVE-2009-1578
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos inyectar web script o HTML a través de vectores envueltos en (1) determinadas cadenas encriptadas en cabeceras de correos electrónicos, relacionado con contrib/decrypt_headers.php; (2) PHP_SELF; y (3) la cadena "query" (también conocido como QUERY_STRING). • http://download.gna.org/nasmail/nasmail-1.7.zip http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://osvdb.org/60468 http://secunia.com/advisories/35052 http://secunia.com/advisories/35073 http://secunia.com/advisories/35140 http://secunia.com/advisories/35259 http://secunia.com/advisories/37415 http://secunia.com/advisories/40220 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 60EXPL: 0CVE-2009-1579 – SquirrelMail: Server-side code injection in map_yp_alias username map
https://notcve.org/view.php?id=CVE-2009-1579
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. La función map_yp_alias en functions/imap_general.php en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos ejecutar comandos de su elección a través de metacaracteres de intérprete de comandos en una cadena de nombre de usuario que está utilizada por el programa ypmatch. • http://download.gna.org/nasmail/nasmail-1.7.zip http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://secunia.com/advisories/35052 http://secunia.com/advisories/35073 http://secunia.com/advisories/35140 http://secunia.com/advisories/35259 http://secunia.com/advisories/37415 http://secunia.com/advisories/40220 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog http://squirrelmail.svn.sourceforge.net/ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.8EPSS: 0%CPEs: 72EXPL: 0CVE-2009-1580 – SquirrelMail: Session fixation vulnerability
https://notcve.org/view.php?id=CVE-2009-1580
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. Vulnerabilidad de fijación de sesión en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos secuestrar sesiones web a través de una cookie manipulada. • http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://secunia.com/advisories/35052 http://secunia.com/advisories/35073 http://secunia.com/advisories/35140 http://secunia.com/advisories/40220 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13676 http://support.apple.com/kb/HT4188 http://www.debian.org/security/2009/dsa-1802 ht • CWE-287: Improper Authentication CWE-384: Session Fixation •
CVSS: 4.3EPSS: 0%CPEs: 60EXPL: 0CVE-2009-1581 – SquirrelMail: CSS positioning vulnerability
https://notcve.org/view.php?id=CVE-2009-1581
functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message. functions/mime.php en SquirrelMail versiones anteriores a v1.4.18 no protege el contenido de la aplicación de Cascading Style Sheets (CSS) posicionado en mensajes de correo HTML, lo cual permite a atacantes remotos falsear la interfaz de usuario, y conducir ataques de secuencias de comandos en sitios cruzados (XSS) y phishing, a través de mensajes manipulados. • http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://secunia.com/advisories/35052 http://secunia.com/advisories/35073 http://secunia.com/advisories/35140 http://secunia.com/advisories/35259 http://secunia.com/advisories/40220 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/mime.php?r1=13667&r2=13666&pathr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •