// For flags

CVE-2006-0377

Gentoo Linux Security Advisory 200603-9

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection."

SquirrelMail does not validate the right_frame parameter in webmail.php, possibly allowing frame replacement or cross-site scripting. Martijn Brinkers and Scott Hughes discovered that MagicHTML fails to handle certain input correctly, potentially leading to cross-site scripting. Vicente Aguilera reported that the sqimap_mailbox_select function did not strip newlines from the mailbox or subject parameter, possibly allowing IMAP command injection. Versions less than 1.4.6 are affected.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2006-01-23 CVE Reserved
  • 2006-02-24 CVE Published
  • 2006-03-02 First Exploit
  • 2024-08-07 CVE Updated
  • 2025-07-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
CAPEC
References (23)
URL Tag Source
http://secunia.com/advisories/19130 Third Party Advisory
http://secunia.com/advisories/19131 Third Party Advisory
http://secunia.com/advisories/19176 Third Party Advisory
http://secunia.com/advisories/19205 Third Party Advisory
http://secunia.com/advisories/19960 Third Party Advisory
http://secunia.com/advisories/20210 Third Party Advisory
http://www.securityfocus.com/bid/16756 Vdb Entry
http://www.vupen.com/english/advisories/2006/0689 Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/24849 Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11470 Signature
URL Date SRC
https://packetstorm.news/files/id/44274 2006-03-02
URL Date SRC
http://securitytracker.com/id?1015662 2017-10-11
http://www.squirrelmail.org/security/issue/2006-02-15 2017-10-11
URL Date SRC
ftp://patches.sgi.com/support/free/security/advisories/20060501-01-U.asc 2017-10-11
http://secunia.com/advisories/18985 2017-10-11
http://www.debian.org/security/2006/dsa-988 2017-10-11
http://www.gentoo.org/security/en/glsa/glsa-200603-09.xml 2017-10-11
http://www.mandriva.com/security/advisories?name=MDKSA-2006:049 2017-10-11
http://www.novell.com/linux/security/advisories/2006_05_sr.html 2017-10-11
http://www.redhat.com/archives/fedora-announce-list/2006-March/msg00004.html 2017-10-11
http://www.redhat.com/support/errata/RHSA-2006-0283.html 2017-10-11
https://access.redhat.com/security/cve/CVE-2006-0377 2006-05-03
https://bugzilla.redhat.com/show_bug.cgi?id=1617884 2006-05-03
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.1
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.1"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.2
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.2"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.3
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.3"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.3_r3
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.3_r3"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.3_rc1
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.3_rc1"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.3a
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.3a"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.4
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.4"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.4_rc1
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.4_rc1"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.5
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.5"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4.6_rc1
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.6_rc1"
-
Affected
Squirrelmail
Search vendor "Squirrelmail"
 Squirrelmail
Search vendor "Squirrelmail" for product "Squirrelmail"
 1.4_rc1
Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4_rc1"
-
Affected