CVE-2002-1276
- EPSS 0.64%
- Published 29.11.2002 05:00:00
- Last modified 03.04.2025 01:03:51
An incomplete fix for a cross-site scripting (XSS) vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks.
- EPSS 0.62%
- Published 04.10.2002 04:00:00
- Last modified 03.04.2025 01:03:51
SquirrelMail 1.2.7 and earlier allows remote attackers to determine the absolute pathname of the options.php script via a malformed optpage file argument, which generates an error message when the file cannot be included in the script.
CVE-2002-1131
- EPSS 3.88%
- Published 04.10.2002 04:00:00
- Last modified 03.04.2025 01:03:51
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.
- EPSS 6.35%
- Published 12.08.2002 04:00:00
- Last modified 03.04.2025 01:03:51
SquirrelMail 1.2.5 and earlier allows authenticated SquirrelMail users to execute arbitrary commands by modifying the THEME variable in a cookie.
CVE-2001-1159
- EPSS 2.4%
- Published 02.07.2001 04:00:00
- Last modified 03.04.2025 01:03:51
load_prefs.php and supporting include files in SquirrelMail 1.0.4 and earlier do not properly initialize certain PHP variables, which allows remote attackers to (1) view sensitive files via the config_php and data_dir options, and (2) execute arbitra...