CVE Reference: CVE-2009-1578

NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2009-1578

Description:
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).

CVE Status:
Candidate

References:

XF
  http://xforce.iss.net/xforce/xfdb/50460
  http://xforce.iss.net/xforce/xfdb/50459

SAID
  Secunia Advisory: SA40220
  Secunia Advisory: SA35259
  Secunia Advisory: SA35052
  Secunia Advisory: SA35073
  Secunia Advisory: SA35140
  Secunia Advisory: SA37415

REDHAT
  http://www.redhat.com/support/errata/RHSA-2009-1066.html

OVAL
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11624

OSVDB
  60468

MANDRIVA
  http://www.mandriva.com/security/advisories?name=MDVSA-2009:110

FEDORA

DEBIAN
  http://www.debian.org/security/2009/dsa-1802

CONFIRM
  http://www.squirrelmail.org/security/issue/2009-05-09
  http://support.apple.com/kb/HT4188
  http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13672
  http://www.squirrelmail.org/security/issue/2009-05-08
  http://download.gna.org/nasmail/nasmail-1.7.zip
  http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog
  http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/global.php?r1=13670&r2=13669&pathrev=13670
  http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13670
  http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/contrib/decrypt_headers.php?r1=13672&r2=13671&pathrev=13672

BID
  34916

APPLE
  http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html


Return to the previous page.