Total
67 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2006-0188 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 4.3 MEDIUM | N/A |
webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS. | |||||
CVE-2005-0075 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 5.0 MEDIUM | N/A |
prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers. | |||||
CVE-2005-2095 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 4.3 MEDIUM | N/A |
options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files. | |||||
CVE-2005-0104 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables. | |||||
CVE-2005-0152 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 7.5 HIGH | N/A |
PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation." | |||||
CVE-2006-0195 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 4.3 MEDIUM | N/A |
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer. | |||||
CVE-2006-4019 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 6.4 MEDIUM | N/A |
Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users. | |||||
CVE-2004-1036 | 2 Gentoo, Squirrelmail | 2 Linux, Squirrelmail | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the decoding of encoded text in certain headers in mime.php for SquirrelMail 1.4.3a and earlier, and 1.5.1-cvs before 23rd October 2004, allows remote attackers to execute arbitrary web script or HTML. | |||||
CVE-2005-0103 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 7.5 HIGH | N/A |
PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code. | |||||
CVE-2006-3665 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 4.3 MEDIUM | N/A |
SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack cookies in src/redirect.php via unknown vectors. NOTE: while "cookie theft" is frequently associated with XSS, the vendor disclosure is too vague to be certain of this. | |||||
CVE-2005-1769 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message. | |||||
CVE-2002-0516 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 10.0 HIGH | N/A |
SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie. | |||||
CVE-2002-1276 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 4.3 MEDIUM | N/A |
An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks. | |||||
CVE-2004-0639 | 3 Open Webmail, Sgi, Squirrelmail | 3 Open Webmail, Propack, Squirrelmail | 2024-02-28 | 6.8 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable. | |||||
CVE-2004-0520 | 3 Open Webmail, Sgi, Squirrelmail | 3 Open Webmail, Propack, Squirrelmail | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. | |||||
CVE-2003-0990 | 1 Squirrelmail | 2 Gpg Plugin, Squirrelmail | 2024-02-28 | 7.5 HIGH | N/A |
The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field. | |||||
CVE-2001-1159 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 7.5 HIGH | N/A |
load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitrary code by using options_order.php to upload a message that could be interpreted as PHP. | |||||
CVE-2002-1648 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 7.5 HIGH | N/A |
Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters. | |||||
CVE-2002-1131 | 1 Squirrelmail | 1 Squirrelmail | 2024-02-28 | 7.5 HIGH | N/A |
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php. | |||||
CVE-2004-0521 | 2 Sgi, Squirrelmail | 2 Propack, Squirrelmail | 2024-02-28 | 10.0 HIGH | N/A |
SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. |