CVE-2009-0030
squirrelmail: session management flaw
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.
Un parche para Red Hat SquirrelMail v1.4.8 establece el mismo valor de la cookie SQMSESSID para todas las sesiones, lo que permite a usuarios autenticados remotamente acceder a las listas de carpetas y datos de configuración de otros usuarios en circunstancias oportunas utilizando la interfaz estándar de webmail.php. NOTA: esta vulnerabilidad existe debido a un parche incorrecto para CVE-2008-3663.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2008-12-15 CVE Reserved
- 2009-01-21 CVE Published
- 2023-03-11 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://securitytracker.com/id?1021611 | Vdb Entry | |
| http://www.securityfocus.com/bid/33354 | Vdb Entry | |
| https://bugzilla.redhat.com/show_bug.cgi?id=480224 | X_refsource_confirm | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/48115 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10366 | Signature |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html | 2023-11-07 | |
| http://secunia.com/advisories/33611 | 2023-11-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=480488 | 2009-01-19 | |
| https://rhn.redhat.com/errata/RHSA-2009-0057.html | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2009-0030 | 2009-01-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Squirrelmail Search vendor "Squirrelmail" | Squirrelmail Search vendor "Squirrelmail" for product "Squirrelmail" | 1.4.8 Search vendor "Squirrelmail" for product "Squirrelmail" and version "1.4.8" | - |
Affected
| ||||||