Filtered by vendor Squirrelmail
Subscribe
Total
76 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-2124 | 2 Redhat, Squirrelmail | 2 Enterprise Linux, Squirrelmail | 2024-11-21 | 5.0 MEDIUM | N/A |
functions/imap_general.php in SquirrelMail, as used in Red Hat Enterprise Linux (RHEL) 4 and 5, does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preference files. NOTE: this issue exists because of an incorrect fix for CVE-2010-2813. | |||||
CVE-2012-0323 | 2 Paul Lesniewsk, Squirrelmail | 2 Autocomplete, Squirrelmail | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Autocomplete plugin before 3.0 for SquirrelMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2011-2753 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the empty trash implementation and (2) the Index Order (aka options_order) page, a different issue than CVE-2010-4555. | |||||
CVE-2011-2752 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 5.8 MEDIUM | N/A |
CRLF injection vulnerability in SquirrelMail 1.4.21 and earlier allows remote attackers to modify or add preference values via a \n (newline) character, a different vulnerability than CVE-2010-4555. | |||||
CVE-2011-2023 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message. | |||||
CVE-2010-4555 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors associated with the Index Order (aka options_order) page. | |||||
CVE-2010-4554 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 4.3 MEDIUM | N/A |
functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. | |||||
CVE-2010-2813 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 5.0 MEDIUM | N/A |
functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. | |||||
CVE-2010-1637 | 4 Apple, Fedoraproject, Redhat and 1 more | 7 Mac Os X, Mac Os X Server, Fedora and 4 more | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. | |||||
CVE-2009-2964 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php. | |||||
CVE-2009-1581 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 4.3 MEDIUM | N/A |
functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message. | |||||
CVE-2009-1580 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 5.8 MEDIUM | N/A |
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. | |||||
CVE-2009-1579 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 6.8 MEDIUM | N/A |
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. | |||||
CVE-2009-1578 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING). | |||||
CVE-2009-1381 | 1 Squirrelmail | 3 Imap General.php, Squirrelmail, Squirrelmail1.4.19-1 | 2024-11-21 | 6.8 MEDIUM | N/A |
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. | |||||
CVE-2009-0030 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 6.5 MEDIUM | N/A |
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663. | |||||
CVE-2008-3663 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 5.0 MEDIUM | N/A |
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | |||||
CVE-2008-2379 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. | |||||
CVE-2007-6348 | 1 Squirrelmail | 1 Squirrelmail | 2024-11-21 | 6.8 MEDIUM | N/A |
SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code. | |||||
CVE-2007-3779 | 1 Squirrelmail | 1 Gpg Plugin | 2024-11-21 | 4.3 MEDIUM | N/A |
PHP local file inclusion vulnerability in gpg_pop_init.php in the G/PGP (GPG) Plugin before 20070707 for Squirrelmail allows remote attackers to include and execute arbitrary local files, related to the MOD parameter. |