CVE-2009-1578 – SquirrelMail: Multiple cross site scripting issues
https://notcve.org/view.php?id=CVE-2009-1578
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos inyectar web script o HTML a través de vectores envueltos en (1) determinadas cadenas encriptadas en cabeceras de correos electrónicos, relacionado con contrib/decrypt_headers.php; (2) PHP_SELF; y (3) la cadena "query" (también conocido como QUERY_STRING). • http://download.gna.org/nasmail/nasmail-1.7.zip http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://osvdb.org/60468 http://secunia.com/advisories/35052 http://secunia.com/advisories/35073 http://secunia.com/advisories/35140 http://secunia.com/advisories/35259 http://secunia.com/advisories/37415 http://secunia.com/advisories/40220 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-0030 – squirrelmail: session management flaw
https://notcve.org/view.php?id=CVE-2009-0030
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663. Un parche para Red Hat SquirrelMail v1.4.8 establece el mismo valor de la cookie SQMSESSID para todas las sesiones, lo que permite a usuarios autenticados remotamente acceder a las listas de carpetas y datos de configuración de otros usuarios en circunstancias oportunas utilizando la interfaz estándar de webmail.php. NOTA: esta vulnerabilidad existe debido a un parche incorrecto para CVE-2008-3663. • http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://secunia.com/advisories/33611 http://securitytracker.com/id?1021611 http://www.securityfocus.com/bid/33354 https://bugzilla.redhat.com/show_bug.cgi?id=480224 https://bugzilla.redhat.com/show_bug.cgi?id=480488 https://exchange.xforce.ibmcloud.com/vulnerabilities/48115 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10366 https://rhn.redhat.com/errata/RHSA-2009-0057.html http • CWE-287: Improper Authentication •
CVE-2008-2379 – squirrelmail: XSS issue caused by an insufficient html mail sanitation
https://notcve.org/view.php?id=CVE-2008-2379
Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en SquirrelMail anteriores a la v1.4.17 permitiría a atacantes remotos inyectar secuencia de código web o HTML a su elección a través de un hiperenlace manipulado en la parte HTML de un mensaje de correo electrónico. • http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html http://secunia.com/advisories/32143 http://secunia.com/advisories/33054 http://secunia.com/advisories/33071 http://secunia.com/advisories/33937 http://security-net.biz/wsw/index.php?p=254&n=190 http://support.apple.com/kb/HT3438 http://www.debian.org/security/2008/dsa-1682 http://www.securityfocus.com/bid/32603 http://w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-3663 – squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies
https://notcve.org/view.php?id=CVE-2008-3663
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesión en una sesión https, lo que podría provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie. • http://int21.de/cve/CVE-2008-3663-squirrelmail.html http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://secunia.com/advisories/33937 http://securityreason.com/securityalert/4304 http://support.apple.com/kb/HT3438 http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html http://www.securityfocus.c • CWE-310: Cryptographic Issues •
CVE-2007-6348
https://notcve.org/view.php?id=CVE-2007-6348
SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code. SquirrelMail versiones 1.4.11 y 1.4.12, distribuidas en sourceforge.net versiones anteriores a 20071213, se han modificado externamente para crear un Caballo de Troya que introduce una vulnerabilidad de inclusión remota de archivos PHP, que permite a los atacantes remotos ejecutar código arbitrario. • http://marc.info/?l=bugtraq&m=119765643909825&w=2 http://marc.info/?l=squirrelmail-devel&m=119756462212214&w=2 http://marc.info/?l=squirrelmail-devel&m=119765235203392&w=2 http://osvdb.org/42633 http://secunia.com/advisories/28095 http://www.securityfocus.com/archive/1/485037/100/0/threaded http://www.squirrelmail.org/index.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •