SquirrelmailCVEs & Vulnerabilities

76 CVEs affecting Squirrelmail products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

squirrelmail 1,205gpg plugin 10vacation plugin 2s mime plugin 2address add plugin 2change passwd 1imap general.php 1squirrelmail1.4.19-1 1
CVE-2005-1924CRITICALpoc

The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.

31 Dec 2005
9.3
CVSS
CVE-2005-3128MEDIUMpoc

Cross-site scripting (XSS) vulnerability in add.php in Address Add Plugin 1.9 and 2.0 for Squirrelmail allows remote attackers to inject arbitrary web script or HTML via the IMG tag.

5 Oct 2005
4.3
CVSS
CVE-2005-2095MEDIUMpoc

options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files.

13 Jul 2005
4.3
CVSS
CVE-2005-1769MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message.

16 Jun 2005
4.3
CVSS
CVE-2005-0183HIGH

ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to execute arbitrary commands via shell metacharacters in a command line argument.

2 May 2005
7.2
CVSS
CVE-2005-0184LOW

Directory traversal vulnerability in ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to read arbitrary files via a .. (dot dot) in a get request.

2 May 2005
2.1
CVSS
CVE-2005-0239HIGH

viewcert.php in the S/MIME plugin 0.4 and 0.5 for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the cert parameter.

2 May 2005
7.5
CVSS
CVE-2004-1036MEDIUM

Cross-site scripting (XSS) vulnerability in the decoding of encoded text in certain headers in mime.php for SquirrelMail 1.4.3a and earlier, and 1.5.1-cvs before 23rd October 2004, allows remote attackers to execute arbitrary web script or HTML.

1 Mar 2005
6.8
CVSS
CVE-2005-0152HIGH

PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation."

2 Feb 2005
7.5
CVSS
CVE-2005-0075MEDIUM

prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers.

29 Jan 2005
5.0
CVSS
CVE-2005-0104MEDIUM

Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables.

29 Jan 2005
4.3
CVSS
CVE-2005-0103HIGH

PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code.

24 Jan 2005
7.5
CVSS
CVE-2004-0521CRITICAL

SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.

18 Aug 2004
10.0
CVSS
CVE-2004-0520MEDIUMpoc

Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.

18 Aug 2004
6.8
CVSS
CVE-2004-0519MEDIUMpoc

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.

18 Aug 2004
6.8
CVSS
CVE-2004-0639MEDIUMpoc

Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable.

6 Aug 2004
6.8
CVSS
CVE-2003-0990HIGHpoc

The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field.

20 Jan 2004
7.5
CVSS
CVE-2003-0160MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser.

2 Apr 2003
5.8
CVSS
CVE-2002-1648HIGH

Cross-site request forgery (CSRF) vulnerability in compose.php in SquirrelMail before 1.2.3 allows remote attackers to send email as other users via an IMG URL with modified send_to and subject parameters.

31 Dec 2002
7.5
CVSS
CVE-2002-1649MEDIUM

Cross-site scripting (XSS) vulnerability in read_body.php in SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary Javascript via a javascript: URL in an IMG tag.

31 Dec 2002
4.3
CVSS
CVE-2002-1650HIGH

The spell checker plugin (check_me.mod.php) for SquirrelMail before 1.2.3 allows remote attackers to execute arbitrary commands via a modified sqspell_command parameter.

31 Dec 2002
7.5
CVSS
CVE-2002-2086MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in magicHTML of SquirrelMail before 1.2.6 allow remote attackers to inject arbitrary web script or HTML via (1) "<<script" in unspecified input fields or (2) a javascript: URL in the src attribute of an IMG tag.

31 Dec 2002
4.3
CVSS
CVE-2002-1341MEDIUM

Cross-site scripting (XSS) vulnerability in read_body.php for SquirrelMail 1.2.10, 1.2.9, and earlier allows remote attackers to insert script and HTML via the (1) mailbox and (2) passed_id parameters.

18 Dec 2002
6.8
CVSS
CVE-2002-1276MEDIUM

An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks.

29 Nov 2002
4.3
CVSS
CVE-2002-1132MEDIUM

SquirrelMail 1.2.7 and earlier allows remote attackers to determine the absolute pathname of the options.php script via a malformed optpage file argument, which generates an error message when the file cannot be included in the script.

4 Oct 2002
5.0
CVSS
CVE-2002-1131HIGHpoc

Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.

4 Oct 2002
7.5
CVSS
CVE-2002-0516CRITICALpoc

SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie.

12 Aug 2002
10.0
CVSS
CVE-2001-1159HIGH

load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitrary code by using options_order.php to upload a message that could be interpreted as PHP.

2 Jul 2001
7.5
CVSS
← PrevPage 2 / 2Next →