6.8

CVE-2009-2964

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SquirrelmailSquirrelmail Version <= 1.4.19
SquirrelmailSquirrelmail Version0.1.1
SquirrelmailSquirrelmail Version0.1.2
SquirrelmailSquirrelmail Version1.0
SquirrelmailSquirrelmail Version1.0.1
SquirrelmailSquirrelmail Version1.0.2
SquirrelmailSquirrelmail Version1.0.3
SquirrelmailSquirrelmail Version1.0.4
SquirrelmailSquirrelmail Version1.0.5
SquirrelmailSquirrelmail Version1.0.6
SquirrelmailSquirrelmail Version1.0pre1
SquirrelmailSquirrelmail Version1.0pre2
SquirrelmailSquirrelmail Version1.0pre3
SquirrelmailSquirrelmail Version1.1.0
SquirrelmailSquirrelmail Version1.1.1
SquirrelmailSquirrelmail Version1.1.2
SquirrelmailSquirrelmail Version1.1.3
SquirrelmailSquirrelmail Version1.2
SquirrelmailSquirrelmail Version1.2.0
SquirrelmailSquirrelmail Version1.2.0 Updaterc3
SquirrelmailSquirrelmail Version1.2.0_rc3
SquirrelmailSquirrelmail Version1.2.1
SquirrelmailSquirrelmail Version1.2.2
SquirrelmailSquirrelmail Version1.2.3
SquirrelmailSquirrelmail Version1.2.4
SquirrelmailSquirrelmail Version1.2.5
SquirrelmailSquirrelmail Version1.2.6
SquirrelmailSquirrelmail Version1.2.6-rc1
SquirrelmailSquirrelmail Version1.2.7
SquirrelmailSquirrelmail Version1.2.8
SquirrelmailSquirrelmail Version1.2.9
SquirrelmailSquirrelmail Version1.2.10
SquirrelmailSquirrelmail Version1.2.11
SquirrelmailSquirrelmail Version1.3.0
SquirrelmailSquirrelmail Version1.3.1
SquirrelmailSquirrelmail Version1.3.2
SquirrelmailSquirrelmail Version1.4
SquirrelmailSquirrelmail Version1.4 Updaterc1
SquirrelmailSquirrelmail Version1.4.0
SquirrelmailSquirrelmail Version1.4.0 Updaterc1
SquirrelmailSquirrelmail Version1.4.0 Updaterc2a
SquirrelmailSquirrelmail Version1.4.0-r1
SquirrelmailSquirrelmail Version1.4.0_rc1
SquirrelmailSquirrelmail Version1.4.0_rc2a
SquirrelmailSquirrelmail Version1.4.1
SquirrelmailSquirrelmail Version1.4.2
SquirrelmailSquirrelmail Version1.4.2-r1
SquirrelmailSquirrelmail Version1.4.2-r2
SquirrelmailSquirrelmail Version1.4.2-r3
SquirrelmailSquirrelmail Version1.4.2-r4
SquirrelmailSquirrelmail Version1.4.2-r5
SquirrelmailSquirrelmail Version1.4.3
SquirrelmailSquirrelmail Version1.4.3 Updater3
SquirrelmailSquirrelmail Version1.4.3 Updaterc1
SquirrelmailSquirrelmail Version1.4.3_r3
SquirrelmailSquirrelmail Version1.4.3_rc1
SquirrelmailSquirrelmail Version1.4.3_rc1 Updater1
SquirrelmailSquirrelmail Version1.4.3a
SquirrelmailSquirrelmail Version1.4.3aa
SquirrelmailSquirrelmail Version1.4.4
SquirrelmailSquirrelmail Version1.4.4 Updaterc1
SquirrelmailSquirrelmail Version1.4.4_rc1
SquirrelmailSquirrelmail Version1.4.5
SquirrelmailSquirrelmail Version1.4.5_rc1
SquirrelmailSquirrelmail Version1.4.6
SquirrelmailSquirrelmail Version1.4.6 Updaterc1
SquirrelmailSquirrelmail Version1.4.6_cvs
SquirrelmailSquirrelmail Version1.4.6_rc1
SquirrelmailSquirrelmail Version1.4.7
SquirrelmailSquirrelmail Version1.4.8
SquirrelmailSquirrelmail Version1.4.8.4fc6
SquirrelmailSquirrelmail Version1.4.9
SquirrelmailSquirrelmail Version1.4.9a
SquirrelmailSquirrelmail Version1.4.10
SquirrelmailSquirrelmail Version1.4.10a
SquirrelmailSquirrelmail Version1.4.11
SquirrelmailSquirrelmail Version1.4.12
SquirrelmailSquirrelmail Version1.4.13
SquirrelmailSquirrelmail Version1.4.15
SquirrelmailSquirrelmail Version1.4.15 Updaterc1
SquirrelmailSquirrelmail Version1.4.15_rc1
SquirrelmailSquirrelmail Version1.4.15rc1
SquirrelmailSquirrelmail Version1.4.16
SquirrelmailSquirrelmail Version1.4.17
SquirrelmailSquirrelmail Version1.4.18
SquirrelmailSquirrelmail Version1.4_rc1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.52% 0.712
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

http://download.gna.org/nasmail/nasmail-1.7.zip
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
http://secunia.com/advisories/37415
http://secunia.com/advisories/40220
http://support.apple.com/kb/HT4188
http://www.vupen.com/english/advisories/2009/3315
http://www.vupen.com/english/advisories/2010/1481
https://gna.org/forum/forum.php?forum_id=2146
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
http://jvn.jp/en/jp/JVN30881447/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
http://osvdb.org/60469
http://secunia.com/advisories/34627
Vendor Advisory
http://secunia.com/advisories/36363
Vendor Advisory
http://secunia.com/advisories/40964
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818
Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818
Patch
http://www.debian.org/security/2010/dsa-2091
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
http://www.osvdb.org/57001
http://www.securityfocus.com/bid/36196
http://www.squirrelmail.org/security/issue/2009-08-12
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2009/2262
Patch
Vendor Advisory
http://www.vupen.com/english/advisories/2010/2080
https://bugzilla.redhat.com/show_bug.cgi?id=517312
Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html