CVE-2019-12970 – SquirrelMail 1.4.22 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-12970
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element. Se detectó un XSS en SquirrelMail hasta la versión 1.4.22 y versión 1.5.x hasta 1.5.2. Debido al manejo inapropiado de los elementos de tipo RCDATA y RAWTEXT, el mecanismo de saneamiento incorporado puede ser omitido. • http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html https://lists.debian.org/debian-lts-announce/2019/08/msg00000.html https://seclists.org/bugtraq/2019/Jul/0 https://seclists.org/bugtraq/2019/Jul/50 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2813 – SquirrelMail: DoS (disk space consumption) by random IMAP login attempts with 8-bit characters in the password
https://notcve.org/view.php?id=CVE-2010-2813
functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. functions/imap_general.php en SquirrelMail anterior a v1.4.21 no maneja adecuadamente los caracteres de 8-bits en contraseñas, lo cual permite a atacantes remotos causar una denegación de servicio (consumo de disco) realizando muchos intentos de inicio de sesión IMAP con diferentes nombres de usuario, llevando a la creación de muchos ficheros de preferencias. • http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045372.html http://lists.fedoraproject.org/pipermail/package-announce/2010-August/045383.html http://rhn.redhat.com/errata/RHSA-2012-0103.html http://secunia.com/advisories/40964 http://secunia.com/advisories/40971 http://squirrelmail.org/security/issue/2010-07-23 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail • CWE-399: Resource Management Errors •
CVE-2009-1580 – SquirrelMail: Session fixation vulnerability
https://notcve.org/view.php?id=CVE-2009-1580
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. Vulnerabilidad de fijación de sesión en SquirrelMail versiones anteriores a v1.4.18 permite a atacantes remotos secuestrar sesiones web a través de una cookie manipulada. • http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html http://secunia.com/advisories/35052 http://secunia.com/advisories/35073 http://secunia.com/advisories/35140 http://secunia.com/advisories/40220 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13676 http://support.apple.com/kb/HT4188 http://www.debian.org/security/2009/dsa-1802 ht • CWE-287: Improper Authentication CWE-384: Session Fixation •
CVE-2006-4019 – SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite
https://notcve.org/view.php?id=CVE-2006-4019
Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users. Vulnerabilidad de evaluación de variable dinámica en compose.php en SquirrelMail 1.4.0 hasta la versión 1.4.7 permite a atacantes remotos sobreescribir variables del programa arbitrarias y leer o escribir los archivos adjuntos y preferencias de otros usuarios. • https://www.exploit-db.com/exploits/43839 ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://attrition.org/pipermail/vim/2006-August/000970.html http://docs.info.apple.com/article.html?artnum=306172 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://marc.info/?l=full-disclosure&m=115532449024178&w=2 http://secunia.com/advisories/21354 http://secunia.com/advisories/21444 http://secunia.com/advisories/21586 http:/ •
CVE-2006-3174
https://notcve.org/view.php?id=CVE-2006-3174
Cross-site scripting (XSS) vulnerability in search.php in SquirrelMail 1.5.1 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary HTML via the mailbox parameter. • http://docs.info.apple.com/article.html?artnum=306172 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://pridels0.blogspot.com/2006/06/squirrelmail-151-xss-vuln.html http://secunia.com/advisories/26235 http://www.mandriva.com/security/advisories?name=MDKSA-2006:147 http://www.osvdb.org/26610 http://www.securityfocus.com/bid/18700 http://www.securityfocus.com/bid/25159 http://www.vupen.com/english/advisories/2007/2732 https://exchange.xforce.ib •