Vulnerabilities (CVE)

Filtered by vendor Squirrelmail Subscribe
Total 76 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2007-3778 1 Squirrelmail 1 Gpg Plugin 2025-04-09 7.5 HIGH N/A
The G/PGP (GPG) Plugin 2.0, and 2.1dev before 20060912, for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the messageSignedText parameter to the gpg_check_sign_pgp_mime function in gpg_hook_functions.php. NOTE: a parameter value can be set in the contents of an e-mail message.
CVE-2007-3635 1 Squirrelmail 2 Gpg Plugin, Squirrelmail 2025-04-09 4.3 MEDIUM N/A
Multiple unspecified vulnerabilities in the G/PGP (GPG) Plugin before 2.1 for Squirrelmail might allow "local authenticated users" to inject certain commands via unspecified vectors. NOTE: this might overlap CVE-2005-1924, CVE-2006-4169, or CVE-2007-3634.
CVE-2007-6348 1 Squirrelmail 1 Squirrelmail 2025-04-09 6.8 MEDIUM N/A
SquirrelMail 1.4.11 and 1.4.12, as distributed on sourceforge.net before 20071213, has been externally modified to create a Trojan Horse that introduces a PHP remote file inclusion vulnerability, which allows remote attackers to execute arbitrary code.
CVE-2006-4169 1 Squirrelmail 1 Gpg Plugin 2025-04-09 5.5 MEDIUM N/A
Multiple directory traversal vulnerabilities in the G/PGP (GPG) Plugin 2.0, and 2.1dev before 20070614, for Squirrelmail allow remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the help parameter to (1) gpg_help.php or (2) gpg_help_base.php.
CVE-2009-2964 1 Squirrelmail 1 Squirrelmail 2025-04-09 6.8 MEDIUM N/A
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.
CVE-2009-1580 1 Squirrelmail 1 Squirrelmail 2025-04-09 5.8 MEDIUM N/A
Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie.
CVE-2009-0030 1 Squirrelmail 1 Squirrelmail 2025-04-09 6.5 MEDIUM N/A
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.
CVE-2007-3779 1 Squirrelmail 1 Gpg Plugin 2025-04-09 4.3 MEDIUM N/A
PHP local file inclusion vulnerability in gpg_pop_init.php in the G/PGP (GPG) Plugin before 20070707 for Squirrelmail allows remote attackers to include and execute arbitrary local files, related to the MOD parameter.
CVE-2007-2631 1 Squirrelmail 1 Squirrelmail 2025-04-09 7.5 HIGH N/A
Cross-site request forgery (CSRF) vulnerability in SquirrelMail 1.4.8-4.fc6 and earlier allows remote attackers to perform unspecified actions as arbitrary users via unspecified vectors. NOTE: this issue might overlap CVE-2007-2589 or CVE-2002-1648.
CVE-2009-1579 1 Squirrelmail 1 Squirrelmail 2025-04-09 6.8 MEDIUM N/A
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.
CVE-2005-1769 1 Squirrelmail 1 Squirrelmail 2025-04-03 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message.
CVE-2005-3128 1 Squirrelmail 1 Address Add Plugin 2025-04-03 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in add.php in Address Add Plugin 1.9 and 2.0 for Squirrelmail allows remote attackers to inject arbitrary web script or HTML via the IMG tag.
CVE-2006-0195 1 Squirrelmail 1 Squirrelmail 2025-04-03 4.3 MEDIUM N/A
Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer.
CVE-2005-0152 1 Squirrelmail 1 Squirrelmail 2025-04-03 7.5 HIGH N/A
PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation."
CVE-2002-1276 1 Squirrelmail 1 Squirrelmail 2025-04-03 4.3 MEDIUM N/A
An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks.
CVE-2006-3174 1 Squirrelmail 1 Squirrelmail 2025-04-03 2.6 LOW N/A
Cross-site scripting (XSS) vulnerability in search.php in SquirrelMail 1.5.1 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary HTML via the mailbox parameter.
CVE-2002-0516 1 Squirrelmail 1 Squirrelmail 2025-04-03 10.0 HIGH N/A
SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie.
CVE-2004-0519 2 Sgi, Squirrelmail 2 Propack, Squirrelmail 2025-04-03 6.8 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
CVE-2006-3665 1 Squirrelmail 1 Squirrelmail 2025-04-03 4.3 MEDIUM N/A
SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack cookies in src/redirect.php via unknown vectors. NOTE: while "cookie theft" is frequently associated with XSS, the vendor disclosure is too vague to be certain of this.
CVE-2005-0075 1 Squirrelmail 1 Squirrelmail 2025-04-03 5.0 MEDIUM N/A
prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers.