Squirrelmail

squirrelmail

Vendor: Squirrelmail • 64 CVEs

CVEs (64)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2009-1381 1Squirrelmail 2Imap General.php Squirrelmail Apr 23, 2026 May 22, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via sh...Show more The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579.Show less
CVE-2009-1581 1Squirrelmail 1Squirrelmail Apr 23, 2026 May 14, 2009 N/A· v4 N/A· v3 4.3 MEDIUM· v2 functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface...Show more functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message.Show less
CVE-2009-1580 1Squirrelmail 1Squirrelmail Apr 23, 2026 May 14, 2009 N/A· v4 N/A· v3 5.8 MEDIUM· v2 Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie.
CVE-2009-1579 1Squirrelmail 1Squirrelmail Apr 23, 2026 May 14, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is use...Show more The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.Show less
CVE-2009-1578 1Squirrelmail 1Squirrelmail Apr 23, 2026 May 14, 2009 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings i...Show more Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).Show less
CVE-2009-0030 1Squirrelmail 1Squirrelmail Apr 23, 2026 Jan 21, 2009 N/A· v4 N/A· v3 6.5 MEDIUM· v2 A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic ci...Show more A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.Show less
CVE-2008-2379 1Squirrelmail 1Squirrelmail Apr 23, 2026 Dec 5, 2008 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.
CVE-2008-3663 1Squirrelmail 1Squirrelmail Apr 23, 2026 Sep 24, 2008 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
CVE-2007-6348 1Squirrelmail 1Squirrelmail Apr 23, 2026 Dec 14, 2007 N/A· v4 N/A· v3 6.8 MEDIUM· v2 SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote atta...Show more SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code.Show less
CVE-2007-3636 1Squirrelmail 2Gpg Plugin Squirrelmail Apr 23, 2026 Jul 10, 2007 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for Squirrelmail allow remote attackers to execute arbitrary commands via unspecified vectors. NOTE: this information is based upon a vague pre-advisory...Show more Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin 2.1 for Squirrelmail allow remote attackers to execute arbitrary commands via unspecified vectors. NOTE: this information is based upon a vague pre-advisory from a reliable researcher.Show less
CVE-2007-3635 1Squirrelmail 2Gpg Plugin Squirrelmail Apr 23, 2026 Jul 10, 2007 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-192...Show more Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-1924, CVE-2006-4169, or CVE-2007-3634.Show less
CVE-2007-2631 1Squirrelmail 1Squirrelmail Apr 23, 2026 May 13, 2007 N/A· v4 N/A· v3 7.5 HIGH· v2 Cross-site request forgery (CSRF) vulnerability in SquirrelMail 1.4.8-4.fc6 and earlier allows remote attackers to perform unspecified actions as arbitrary users via unspecified vectors. NOTE: this issue might overlap C...Show more Cross-site request forgery (CSRF) vulnerability in SquirrelMail 1.4.8-4.fc6 and earlier allows remote attackers to perform unspecified actions as arbitrary users via unspecified vectors. NOTE: this issue might overlap CVE-2007-2589 or CVE-2002-1648.Show less
CVE-2007-2589 1Squirrelmail 1Squirrelmail Apr 23, 2026 May 11, 2007 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail 1.4.0 through 1.4.9a allows remote attackers to send e-mails from arbitrary users via certain data in the SRC attribute of an IMG element.
CVE-2007-1262 1Squirrelmail 1Squirrelmail Apr 23, 2026 May 11, 2007 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment...Show more Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.Show less
CVE-2006-6142 1Squirrelmail 1Squirrelmail Apr 23, 2026 Dec 5, 2006 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (...Show more Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter."Show less
CVE-2006-4019 1Squirrelmail 1Squirrelmail Apr 16, 2026 Aug 11, 2006 N/A· v4 N/A· v3 6.4 MEDIUM· v2 Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users.
CVE-2006-3665 1Squirrelmail 1Squirrelmail Apr 16, 2026 Jul 18, 2006 N/A· v4 N/A· v3 4.3 MEDIUM· v2 SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack cookies in src/redirect.php via unknown vectors. NOTE: while "cookie theft" is frequently associated with XSS, the vendor...Show more SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack cookies in src/redirect.php via unknown vectors. NOTE: while "cookie theft" is frequently associated with XSS, the vendor disclosure is too vague to be certain of this.Show less
CVE-2006-3174 1Squirrelmail 1Squirrelmail Apr 16, 2026 Jun 23, 2006 N/A· v4 N/A· v3 2.6 LOW· v2 Cross-site scripting (XSS) vulnerability in search.php in SquirrelMail 1.5.1 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary HTML via the mailbox parameter.
CVE-2006-2842 1Squirrelmail 1Squirrelmail Apr 16, 2026 Jun 6, 2006 N/A· v4 N/A· v3 7.5 HIGH· v2 PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code vi...Show more PHP remote file inclusion vulnerability in functions/plugin.php in SquirrelMail 1.4.6 and earlier, if register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the plugins array parameter. NOTE: this issue has been disputed by third parties, who state that Squirrelmail provides prominent warnings to the administrator when register_globals is enabled. Since the varieties of administrator negligence are uncountable, perhaps this type of issue should not be included in CVE. However, the original developer has posted a security advisory, so there might be relevant real-world environments under which this vulnerability is applicableShow less
CVE-2006-0377 1Squirrelmail 1Squirrelmail Apr 16, 2026 Feb 24, 2006 N/A· v4 N/A· v3 5.0 MEDIUM· v2 CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP inject...Show more CRLF injection vulnerability in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary IMAP commands via newline characters in the mailbox parameter of the sqimap_mailbox_select command, aka "IMAP injection."Show less

Previous 123 4 Next