CVE-2009-1578

Published: May 14, 2009Modified: Apr 23, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).

Affected (60)

Products: Squirrelmail: Squirrelmail

Squirrelmail

1 product

Squirrelmail

Configuration A

60 vulnerable

Vulnerable Software	Affected Versions
Squirrelmail Squirrelmail	All versions
Squirrelmail Squirrelmail	Up to 1.4.17
Squirrelmail Squirrelmail	Version 0.1.1
Squirrelmail Squirrelmail	Version 0.1.2
Squirrelmail Squirrelmail	Version 0.1
Squirrelmail Squirrelmail	Version 0.2.1
Squirrelmail Squirrelmail	Version 0.2
Squirrelmail Squirrelmail	Version 0.3.1
Squirrelmail Squirrelmail	Version 0.3
Squirrelmail Squirrelmail	Version 0.3pre1
Squirrelmail Squirrelmail	Version 0.3pre2
Squirrelmail Squirrelmail	Version 0.4
Squirrelmail Squirrelmail	Version 0.4pre1
Squirrelmail Squirrelmail	Version 0.4pre2
Squirrelmail Squirrelmail	Version 0.5
Squirrelmail Squirrelmail	Version 0.5pre1
Squirrelmail Squirrelmail	Version 0.5pre2
Squirrelmail Squirrelmail	Version 1.0.1
Squirrelmail Squirrelmail	Version 1.0.2
Squirrelmail Squirrelmail	Version 1.0.3
Squirrelmail Squirrelmail	Version 1.0.4
Squirrelmail Squirrelmail	Version 1.0.5
Squirrelmail Squirrelmail	Version 1.0.6
Squirrelmail Squirrelmail	Version 1.0
Squirrelmail Squirrelmail	Version 1.0pre1
Squirrelmail Squirrelmail	Version 1.0pre2
Squirrelmail Squirrelmail	Version 1.0pre3
Squirrelmail Squirrelmail	Version 1.1.0
Squirrelmail Squirrelmail	Version 1.1.1
Squirrelmail Squirrelmail	Version 1.1.2
Squirrelmail Squirrelmail	Version 1.1.3
Squirrelmail Squirrelmail	Version 1.2.0
Squirrelmail Squirrelmail	Version 1.2.0_rc3
Squirrelmail Squirrelmail	Version 1.2.10
Squirrelmail Squirrelmail	Version 1.2.11
Squirrelmail Squirrelmail	Version 1.2.1
Squirrelmail Squirrelmail	Version 1.2.2
Squirrelmail Squirrelmail	Version 1.2.3
Squirrelmail Squirrelmail	Version 1.2.4
Squirrelmail Squirrelmail	Version 1.2.5
Squirrelmail Squirrelmail	Version 1.2.6
Squirrelmail Squirrelmail	Version 1.2.7
Squirrelmail Squirrelmail	Version 1.2.8
Squirrelmail Squirrelmail	Version 1.2.9
Squirrelmail Squirrelmail	Version 1.2
Squirrelmail Squirrelmail	Version 1.3.0
Squirrelmail Squirrelmail	Version 1.3.1
Squirrelmail Squirrelmail	Version 1.3.2
Squirrelmail Squirrelmail	Version 1.4.0
Squirrelmail Squirrelmail	Version 1.4.0_rc1
Squirrelmail Squirrelmail	Version 1.4.0_rc2a
Squirrelmail Squirrelmail	Version 1.4.10
Squirrelmail Squirrelmail	Version 1.4.10a
Squirrelmail Squirrelmail	Version 1.4.11
Squirrelmail Squirrelmail	Version 1.4.12
Squirrelmail Squirrelmail	Version 1.4.15
Squirrelmail Squirrelmail	Version 1.4.15_rc1
Squirrelmail Squirrelmail	Version 1.4.16
Squirrelmail Squirrelmail	Version 1.4.1
Squirrelmail Squirrelmail	Version 1.4

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (64)

http://download.gna.org/nasmail/nasmail-1.7.zip

Source: cve@mitre.org

http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html

Source: cve@mitre.org

http://osvdb.org/60468

Source: cve@mitre.org

http://secunia.com/advisories/35052

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/35073

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/35140

Source: cve@mitre.org

http://secunia.com/advisories/35259

Source: cve@mitre.org

http://secunia.com/advisories/37415

Source: cve@mitre.org

http://secunia.com/advisories/40220

Source: cve@mitre.org

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php?r1=13672&r2=13671&pathrev=13672

Source: cve@mitre.org

Patch

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog

Source: cve@mitre.org

Patch

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/global.php?r1=13670&r2=13669&pathrev=13670

Source: cve@mitre.org

Patch

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13670

Source: cve@mitre.org

Patch

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13672

Source: cve@mitre.org

Patch

http://support.apple.com/kb/HT4188

Source: cve@mitre.org

http://www.debian.org/security/2009/dsa-1802

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2009:110

Source: cve@mitre.org

ExploitPatch

http://www.redhat.com/support/errata/RHSA-2009-1066.html

Source: cve@mitre.org

http://www.securityfocus.com/bid/34916

Source: cve@mitre.org

Patch

http://www.squirrelmail.org/security/issue/2009-05-08

Source: cve@mitre.org

PatchVendor Advisory

http://www.squirrelmail.org/security/issue/2009-05-09

Source: cve@mitre.org

PatchVendor Advisory

http://www.vupen.com/english/advisories/2009/1296

Source: cve@mitre.org

PatchVendor Advisory

http://www.vupen.com/english/advisories/2009/3315

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2010/1481

Source: cve@mitre.org

https://bugzilla.redhat.com/show_bug.cgi?id=500363

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/50459

Source: cve@mitre.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/50460

Source: cve@mitre.org

https://gna.org/forum/forum.php?forum_id=2146

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11624

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00566.html

Source: cve@mitre.org

Patch

https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00572.html

Source: cve@mitre.org

https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00577.html

Source: cve@mitre.org

Patch

http://download.gna.org/nasmail/nasmail-1.7.zip