Executive Summary
Summary | |
---|---|
Title | Updated SquirrelMail package fixes multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | RHSA-2004:240 | First vendor Publication | 2004-06-14 |
Vendor | RedHat | Last vendor Modification | 2004-06-14 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2004-240.html |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:1006 | |||
Oval ID: | oval:org.mitre.oval:def:1006 | ||
Title: | SquirrelMail Cross-site Scripting Vulnerability I | ||
Description: | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0519 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 3 | Product(s): | SquirrelMail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:1012 | |||
Oval ID: | oval:org.mitre.oval:def:1012 | ||
Title: | SquirrelMail Cross-site Scripting Vulnerability II | ||
Description: | Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0520 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 3 | Product(s): | SquirrelMail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:10274 | |||
Oval ID: | oval:org.mitre.oval:def:10274 | ||
Title: | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. | ||
Description: | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0519 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:1033 | |||
Oval ID: | oval:org.mitre.oval:def:1033 | ||
Title: | SquirrelMail SQL Injection Vulnerability | ||
Description: | SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0521 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 3 | Product(s): | SquirrelMail |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:10766 | |||
Oval ID: | oval:org.mitre.oval:def:10766 | ||
Title: | Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. | ||
Description: | Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0520 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:11446 | |||
Oval ID: | oval:org.mitre.oval:def:11446 | ||
Title: | SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. | ||
Description: | SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0521 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-09-24 | Name : Gentoo Security Advisory GLSA 200405-16 (SquirrelMail) File : nvt/glsa_200405_16.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200406-08 (Squirrelmail) File : nvt/glsa_200406_08.nasl |
2008-09-04 | Name : FreeBSD Ports: openwebmail File : nvt/freebsd_openwebmail.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 535-1 (squirrelmail) File : nvt/deb_535_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
6841 | SquirrelMail abook_database.php SQL Injection SquirrelMail contains a flaw that will allow an attacker to inject arbitrary SQL code. The issue is due to the insufficient sanitizing of data in input sent to the "abook_database.php" script. This will allow an attacker to inject or manipulate SQL queries. By sending a specially-crafted URL containing malicious SQL code, a remote attacker could add, modify or delete user information in the back-end database. |
6514 | SquirrelMail mime.php Content-Type XSS Multiple Webmail products contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Content-Type upon submission to the mime.php script (or whatever script controls header content-type). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
6337 | SquirreMail compose.php Multiple Parameter XSS Squirrelmail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate mailbox variables upon submission to the compose.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_c5519420cec211d88898000d6111a684.nasl - Type : ACT_GATHER_INFO |
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-535.nasl - Type : ACT_GATHER_INFO |
2004-09-08 | Name : The remote host is missing a Mac OS X update that fixes a security issue. File : macosx_SecUpd20040907.nasl - Type : ACT_GATHER_INFO |
2004-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200405-16.nasl - Type : ACT_GATHER_INFO |
2004-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200406-08.nasl - Type : ACT_GATHER_INFO |
2004-07-23 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-159.nasl - Type : ACT_GATHER_INFO |
2004-07-23 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-160.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2004-240.nasl - Type : ACT_GATHER_INFO |
2004-05-05 | Name : The remote service is vulnerable to injection attacks allowing command execut... File : squirrelmail_143.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:48:31 |
|