CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30090
https://notcve.org/view.php?id=CVE-2025-30090
02 Apr 2025 — mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true. • https://squirrelmail.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14932
https://notcve.org/view.php?id=CVE-2020-14932
20 Jun 2020 — compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php. El archivo compose.php en SquirrelMail versión 1.4.22, invoca la falta de serialización del valor de $mailtodata, que se origina a partir de una petición HTTP GET. Esto está relacionado con mailto.php • https://www.openwall.com/lists/oss-security/2020/06/20/1 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14933
https://notcve.org/view.php?id=CVE-2020-14933
20 Jun 2020 — compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded). ** EN DISPUTA ** compose.php en SquirrelMail 1.4.22 llama a unserialize para el valor $attachments, que se origina... • https://www.openwall.com/lists/oss-security/2020/06/20/1 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5623
https://notcve.org/view.php?id=CVE-2012-5623
13 Feb 2020 — Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords. Squirrelmail versión 4.0, utiliza el algoritmo hash MD5 obsoleto para las contraseñas. • http://www.openwall.com/lists/oss-security/2012/12/04/6 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 4CVE-2019-12970 – Ubuntu Security Notice USN-4669-1
https://notcve.org/view.php?id=CVE-2019-12970
01 Jul 2019 — XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element. Se detectó un XSS en SquirrelMail hasta la versión 1.4.22 y versión 1.5.x hasta 1.5.2. Debido al manejo inapropiado de los elementos de tipo RCDATA ... • https://packetstorm.news/files/id/153495 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14950
https://notcve.org/view.php?id=CVE-2018-14950
05 Aug 2018 — The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack. La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante un ataque " • http://www.openwall.com/lists/oss-security/2018/07/26/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14951
https://notcve.org/view.php?id=CVE-2018-14951
05 Aug 2018 — The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante un ataque " • http://www.openwall.com/lists/oss-security/2018/07/26/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14952
https://notcve.org/view.php?id=CVE-2018-14952
05 Aug 2018 — The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack. La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante un ataque " • http://www.openwall.com/lists/oss-security/2018/07/26/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14953
https://notcve.org/view.php?id=CVE-2018-14953
05 Aug 2018 — The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante un ataque " • http://www.openwall.com/lists/oss-security/2018/07/26/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14954
https://notcve.org/view.php?id=CVE-2018-14954
05 Aug 2018 — The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute. La página de visualización de mensajes de email en SquirrelMail hasta la versión 1.4.22 tiene Cross-Site Scripting (XSS) mediante el atributo formaction. • http://www.openwall.com/lists/oss-security/2018/07/26/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •