Product:

Squirrelmail

(Squirrelmail)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 65
Date Id Summary Products Score Patch Annotated
2010-06-22 CVE-2010-1637 The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. Mac_os_x, Mac_os_x_server, Fedora, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation, Squirrelmail 6.5
2006-06-06 CVE-2006-2842 PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable,... Squirrelmail N/A
2009-01-21 CVE-2009-0030 A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663. Squirrelmail N/A
2009-05-22 CVE-2009-1381 The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. Imap_general\.php, Squirrelmail, Squirrelmail1\.4\.19\-1 N/A
2013-01-18 CVE-2012-2124 functions/imap_general.php in SquirrelMail, as used in Red Hat Enterprise Linux (RHEL) 4 and 5, does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preference files. NOTE: this issue exists because of an incorrect fix for CVE-2010-2813. Enterprise_linux, Squirrelmail N/A
2018-03-17 CVE-2018-8741 A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete) files from the hosting server, related to ../ in the att_local_name field in Deliver.class.php. Debian_linux, Squirrelmail 8.8
2018-08-05 CVE-2018-14950 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack. Squirrelmail 6.1
2018-08-05 CVE-2018-14951 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. Squirrelmail 6.1
2018-08-05 CVE-2018-14952 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack. Squirrelmail 6.1
2018-08-05 CVE-2018-14953 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. Squirrelmail 6.1