CyberSec.Space Logo
CVEブラウザに戻る

CVE-2019-12970

MEDIUM
6.1
CVSS Severity Score
EPSS Score0.1250%
EPSS Percentile42.18th
Published2019年7月1日
Last Modified2024年11月21日

Vulnerability Description

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.

Affected Platforms (CPE)

📦
Squirrelmail

Squirrelmail

<= 1.4.22
📦
Squirrelmail

Squirrelmail

>= 1.5.0 and <= 1.5.2

References & Advisories

🔗 http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html
🔗 https://lists.debian.org/debian-lts-announce/2019/08/msg00000.html
🔗 https://seclists.org/bugtraq/2019/Jul/0
🔗 https://seclists.org/bugtraq/2019/Jul/50
🔗 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt
🔗 http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html
🔗 https://lists.debian.org/debian-lts-announce/2019/08/msg00000.html
🔗 https://seclists.org/bugtraq/2019/Jul/0

関連する脆弱性情報

CVE-2004-052110.0

SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with ...

CVE-2004-052410.0

Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gai...

CVE-2002-051610.0

SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variab...

CVE-2020-149329.8

compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is...