LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

squirrelmail: multiple vulnerabilities

Package(s):squirrelmail CVE #(s):CVE-2011-2023 CVE-2010-4555 CVE-2010-4554
Created:July 25, 2011 Updated:August 15, 2011
Description: From the CVE entries:

Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message. (CVE-2011-2023)

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors associated with the Index Order (aka options_order) page. (CVE-2010-4555)

functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. (CVE-2010-4554)

Alerts:
Mandriva MDVSA-2011:123 2011-08-13
Debian DSA-2291-1 2011-08-08
Fedora FEDORA-2011-9309 2011-07-13
Fedora FEDORA-2011-9311 2011-07-13
Red Hat RHSA-2012:0103-01 2012-02-08
CentOS CESA-2012:0103 2012-02-08
CentOS CESA-2012:0103 2012-02-08
Oracle ELSA-2012-0103 2012-02-09
Oracle ELSA-2012-0103 2012-02-09
Scientific Linux SL-squi-20120208 2012-02-08
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds