4.3

CVE-2009-1578

Exploit
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SquirrelmailSquirrelmail Version <= 1.4.17
SquirrelmailSquirrelmail Version0.1
SquirrelmailSquirrelmail Version0.1.1
SquirrelmailSquirrelmail Version0.1.2
SquirrelmailSquirrelmail Version0.2
SquirrelmailSquirrelmail Version0.2.1
SquirrelmailSquirrelmail Version0.3
SquirrelmailSquirrelmail Version0.3.1
SquirrelmailSquirrelmail Version0.3pre1
SquirrelmailSquirrelmail Version0.3pre2
SquirrelmailSquirrelmail Version0.4
SquirrelmailSquirrelmail Version0.4pre1
SquirrelmailSquirrelmail Version0.4pre2
SquirrelmailSquirrelmail Version0.5
SquirrelmailSquirrelmail Version0.5pre1
SquirrelmailSquirrelmail Version0.5pre2
SquirrelmailSquirrelmail Version1.0
SquirrelmailSquirrelmail Version1.0.1
SquirrelmailSquirrelmail Version1.0.2
SquirrelmailSquirrelmail Version1.0.3
SquirrelmailSquirrelmail Version1.0.4
SquirrelmailSquirrelmail Version1.0.5
SquirrelmailSquirrelmail Version1.0.6
SquirrelmailSquirrelmail Version1.0pre1
SquirrelmailSquirrelmail Version1.0pre2
SquirrelmailSquirrelmail Version1.0pre3
SquirrelmailSquirrelmail Version1.1.0
SquirrelmailSquirrelmail Version1.1.1
SquirrelmailSquirrelmail Version1.1.2
SquirrelmailSquirrelmail Version1.1.3
SquirrelmailSquirrelmail Version1.2
SquirrelmailSquirrelmail Version1.2.0
SquirrelmailSquirrelmail Version1.2.0_rc3
SquirrelmailSquirrelmail Version1.2.1
SquirrelmailSquirrelmail Version1.2.2
SquirrelmailSquirrelmail Version1.2.3
SquirrelmailSquirrelmail Version1.2.4
SquirrelmailSquirrelmail Version1.2.5
SquirrelmailSquirrelmail Version1.2.6
SquirrelmailSquirrelmail Version1.2.7
SquirrelmailSquirrelmail Version1.2.8
SquirrelmailSquirrelmail Version1.2.9
SquirrelmailSquirrelmail Version1.2.10
SquirrelmailSquirrelmail Version1.2.11
SquirrelmailSquirrelmail Version1.3.0
SquirrelmailSquirrelmail Version1.3.1
SquirrelmailSquirrelmail Version1.3.2
SquirrelmailSquirrelmail Version1.4
SquirrelmailSquirrelmail Version1.4.0
SquirrelmailSquirrelmail Version1.4.0_rc1
SquirrelmailSquirrelmail Version1.4.0_rc2a
SquirrelmailSquirrelmail Version1.4.1
SquirrelmailSquirrelmail Version1.4.10
SquirrelmailSquirrelmail Version1.4.10a
SquirrelmailSquirrelmail Version1.4.11
SquirrelmailSquirrelmail Version1.4.12
SquirrelmailSquirrelmail Version1.4.15
SquirrelmailSquirrelmail Version1.4.15_rc1
SquirrelmailSquirrelmail Version1.4.16
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.98% 0.779
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://download.gna.org/nasmail/nasmail-1.7.zip
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
http://osvdb.org/60468
http://secunia.com/advisories/35052
Vendor Advisory
http://secunia.com/advisories/35073
Vendor Advisory
http://secunia.com/advisories/35140
http://secunia.com/advisories/35259
http://secunia.com/advisories/37415
http://secunia.com/advisories/40220
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php?r1=13672&r2=13671&pathrev=13672
Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/global.php?r1=13670&r2=13669&pathrev=13670
Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13670
Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13672
Patch
http://support.apple.com/kb/HT4188
http://www.debian.org/security/2009/dsa-1802
http://www.mandriva.com/security/advisories?name=MDVSA-2009:110
Patch
Exploit
http://www.redhat.com/support/errata/RHSA-2009-1066.html
http://www.securityfocus.com/bid/34916
Patch
http://www.squirrelmail.org/security/issue/2009-05-08
Patch
Vendor Advisory
http://www.squirrelmail.org/security/issue/2009-05-09
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2009/1296
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2009/3315
http://www.vupen.com/english/advisories/2010/1481
https://bugzilla.redhat.com/show_bug.cgi?id=500363
https://exchange.xforce.ibmcloud.com/vulnerabilities/50459
https://exchange.xforce.ibmcloud.com/vulnerabilities/50460
https://gna.org/forum/forum.php?forum_id=2146
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11624
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00566.html
Patch
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00572.html
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00577.html
Patch