CyberSec.Space Logo
Back to CVE Browser

CVE-2019-12970

MEDIUM
6.1
CVSS Severity Score
EPSS Score0.1250%
EPSS Percentile42.18th
PublishedJul 1, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.

Affected Platforms (CPE)

πŸ“¦
Squirrelmail

Squirrelmail

<= 1.4.22
πŸ“¦
Squirrelmail

Squirrelmail

>= 1.5.0 and <= 1.5.2

References & Advisories

πŸ”— http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html
πŸ”— https://lists.debian.org/debian-lts-announce/2019/08/msg00000.html
πŸ”— https://seclists.org/bugtraq/2019/Jul/0
πŸ”— https://seclists.org/bugtraq/2019/Jul/50
πŸ”— https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt
πŸ”— http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html
πŸ”— https://lists.debian.org/debian-lts-announce/2019/08/msg00000.html
πŸ”— https://seclists.org/bugtraq/2019/Jul/0

Related Vulnerabilities

CVE-2004-052110.0

SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with ...

CVE-2004-052410.0

Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gai...

CVE-2002-051610.0

SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variab...

CVE-2020-149329.8

compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is...