Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2008-3663 (GCVE-0-2008-3663)
Vulnerability from cvelistv5 – Published: 2008-09-24 14:00 – Updated: 2024-08-07 09:45
VLAI
EPSS
Summary
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
12 references
| URL | Tags |
|---|---|
| http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.… | x_refsource_CONFIRM |
| http://secunia.com/advisories/33937 | third-party-advisoryx_refsource_SECUNIA |
| http://int21.de/cve/CVE-2008-3663-squirrelmail.html | x_refsource_MISC |
| http://www.securityfocus.com/bid/31321 | vdb-entryx_refsource_BID |
| http://support.apple.com/kb/HT3438 | x_refsource_CONFIRM |
| http://securityreason.com/securityalert/4304 | third-party-advisoryx_refsource_SREASON |
| http://lists.apple.com/archives/security-announce… | vendor-advisoryx_refsource_APPLE |
| http://www.securityfocus.com/archive/1/496601/100… | mailing-listx_refsource_BUGTRAQ |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://oval.cisecurity.org/repository/search/def… | vdb-entrysignaturex_refsource_OVAL |
Date Public
2008-09-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:45:19.086Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"name": "33937",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33937"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"name": "31321",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31321"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://support.apple.com/kb/HT3438"
},
{
"name": "4304",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4304"
},
{
"name": "APPLE-SA-2009-02-12",
"tags": [
"vendor-advisory",
"x_refsource_APPLE",
"x_transferred"
],
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
},
{
"name": "squirrelmail-cookie-session-hijacking(45700)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"name": "SUSE-SR:2009:004",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"name": "SUSE-SR:2008:028",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"name": "oval:org.mitre.oval:def:10548",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL",
"x_transferred"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"name": "33937",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33937"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"name": "31321",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31321"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://support.apple.com/kb/HT3438"
},
{
"name": "4304",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4304"
},
{
"name": "APPLE-SA-2009-02-12",
"tags": [
"vendor-advisory",
"x_refsource_APPLE"
],
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
},
{
"name": "squirrelmail-cookie-session-hijacking(45700)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"name": "SUSE-SR:2009:004",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"name": "SUSE-SR:2008:028",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"name": "oval:org.mitre.oval:def:10548",
"tags": [
"vdb-entry",
"signature",
"x_refsource_OVAL"
],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html",
"refsource": "CONFIRM",
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"name": "33937",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33937"
},
{
"name": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html",
"refsource": "MISC",
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"name": "31321",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31321"
},
{
"name": "http://support.apple.com/kb/HT3438",
"refsource": "CONFIRM",
"url": "http://support.apple.com/kb/HT3438"
},
{
"name": "4304",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4304"
},
{
"name": "APPLE-SA-2009-02-12",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
},
{
"name": "squirrelmail-cookie-session-hijacking(45700)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"name": "SUSE-SR:2009:004",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"name": "SUSE-SR:2008:028",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"name": "oval:org.mitre.oval:def:10548",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3663",
"datePublished": "2008-09-24T14:00:00.000Z",
"dateReserved": "2008-08-12T00:00:00.000Z",
"dateUpdated": "2024-08-07T09:45:19.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2008-3663",
"date": "2026-05-27",
"epss": "0.01255",
"percentile": "0.79625"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0986D113-C9F9-4645-8968-D165EC6B917D\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.\"}, {\"lang\": \"es\", \"value\": \"Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesi\\u00f3n en una sesi\\u00f3n https, lo que podr\\u00eda provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie.\"}]",
"id": "CVE-2008-3663",
"lastModified": "2024-11-21T00:49:49.200",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2008-09-24T14:56:52.537",
"references": "[{\"url\": \"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/33937\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://securityreason.com/securityalert/4304\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://support.apple.com/kb/HT3438\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/archive/1/496601/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/31321\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/33937\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://securityreason.com/securityalert/4304\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://support.apple.com/kb/HT3438\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/496601/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/31321\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vendorComments": "[{\"organization\": \"Red Hat\", \"comment\": \"This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html\", \"lastModified\": \"2009-01-12T00:00:00\"}]",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-310\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2008-3663\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2008-09-24T14:56:52.537\",\"lastModified\":\"2026-04-23T00:35:47.467\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.\"},{\"lang\":\"es\",\"value\":\"Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesi\u00f3n en una sesi\u00f3n https, lo que podr\u00eda provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0986D113-C9F9-4645-8968-D165EC6B917D\"}]}]}],\"references\":[{\"url\":\"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/33937\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securityreason.com/securityalert/4304\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://support.apple.com/kb/HT3438\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/496601/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/31321\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/33937\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securityreason.com/securityalert/4304\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://support.apple.com/kb/HT3438\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/496601/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/31321\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html\",\"lastModified\":\"2009-01-12T00:00:00\"}]}}"
}
}
CERTA-2008-AVI-529
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité dans SquirrelMail permet l'interception de cookie de session en clair.
Description
SquirrelMail ne positionne pas correctement l'indicateur (flag) Secure pour les cookies de session https, ce qui les rend vulnérables à une interception.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Les versions antérieures à la 1.4.16.
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cp\u003eLes versions ant\u00e9rieures \u00e0 la 1.4.16.\u003c/p\u003e",
"content": "## Description\n\nSquirrelMail ne positionne pas correctement l\u0027indicateur (flag) Secure\npour les cookies de session https, ce qui les rend vuln\u00e9rables \u00e0 une\ninterception.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2008-3663",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
}
],
"links": [
{
"title": "Bulletin de mise \u00e0 jour Squirrel 1.4.16 du 28 septembre 2008 :",
"url": "http://www.squirrelmail.org/index.php"
}
],
"reference": "CERTA-2008-AVI-529",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2008-10-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 dans SquirrelMail permet l\u0027interception de \u003cspan\nclass=\"textit\"\u003ecookie\u003c/span\u003e de session en clair.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans SquirrelMail",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de mise \u00e0 jour SquirrelMail 1.4.16 du 28 septembre 2008",
"url": null
}
]
}
CERTA-2009-AVI-068
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans le système Mac OS X d'Apple. L'exploitation de ces vulnérabilités permet un grand nombre d'actions, dont l'exécution de code arbitraire à distance.
Description
Apple vient de publier des mises à jour pour son système d'exploitation Mac OS X. Ces correctifs concernent la mise à jour de plusieurs applicatifs :
- AFP Server ;
- Apple Pixlet Video ;
- Carbon Core ;
- CFNetwork ;
- Certificate Assistant ;
- ClamAV ;
- CoreText ;
- CUPS ;
- DS Tools ;
- fetchmail ;
- Folder Manager ;
- FSEvents ;
- Network Time ;
- perl ;
- Printing ;
- python ;
- Remote Apple Events ;
- Safari RSS ;
- servermgrd ;
- SMB ;
- SquirrelMail ;
- X11 ;
- Xterm.
L'exploitation des différentes vulnérabilités permet d'effectuer un grand nombre d'actions malveillantes, dont l'exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Mac OS X versions 10.5.6 et ant\u00e9rieures ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Mac OS X versions 10.4.11 et ant\u00e9rieures.",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nApple vient de publier des mises \u00e0 jour pour son syst\u00e8me d\u0027exploitation\nMac OS X. Ces correctifs concernent la mise \u00e0 jour de plusieurs\napplicatifs :\n\n- AFP Server ;\n- Apple Pixlet Video ;\n- Carbon Core ;\n- CFNetwork ;\n- Certificate Assistant ;\n- ClamAV ;\n- CoreText ;\n- CUPS ;\n- DS Tools ;\n- fetchmail ;\n- Folder Manager ;\n- FSEvents ;\n- Network Time ;\n- perl ;\n- Printing ;\n- python ;\n- Remote Apple Events ;\n- Safari RSS ;\n- servermgrd ;\n- SMB ;\n- SquirrelMail ;\n- X11 ;\n- Xterm.\n\nL\u0027exploitation des diff\u00e9rentes vuln\u00e9rabilit\u00e9s permet d\u0027effectuer un\ngrand nombre d\u0027actions malveillantes, dont l\u0027ex\u00e9cution de code\narbitraire \u00e0 distance.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2008-2316",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2316"
},
{
"name": "CVE-2008-2361",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2361"
},
{
"name": "CVE-2008-2379",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
},
{
"name": "CVE-2008-1808",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1808"
},
{
"name": "CVE-2009-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0020"
},
{
"name": "CVE-2009-0012",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0012"
},
{
"name": "CVE-2008-3663",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
},
{
"name": "CVE-2009-0141",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0141"
},
{
"name": "CVE-2008-3142",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3142"
},
{
"name": "CVE-2007-4565",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-4565"
},
{
"name": "CVE-2007-1352",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-1352"
},
{
"name": "CVE-2009-0139",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0139"
},
{
"name": "CVE-2008-4864",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-4864"
},
{
"name": "CVE-2009-0019",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0019"
},
{
"name": "CVE-2008-1679",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1679"
},
{
"name": "CVE-2008-2711",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2711"
},
{
"name": "CVE-2008-3144",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3144"
},
{
"name": "CVE-2008-2362",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2362"
},
{
"name": "CVE-2009-0018",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0018"
},
{
"name": "CVE-2009-0140",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0140"
},
{
"name": "CVE-2009-0015",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0015"
},
{
"name": "CVE-2008-1379",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1379"
},
{
"name": "CVE-2008-5031",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5031"
},
{
"name": "CVE-2008-1721",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1721"
},
{
"name": "CVE-2008-5050",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5050"
},
{
"name": "CVE-2006-1861",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-1861"
},
{
"name": "CVE-2008-1927",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1927"
},
{
"name": "CVE-2007-1667",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-1667"
},
{
"name": "CVE-2008-5183",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5183"
},
{
"name": "CVE-2009-0138",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0138"
},
{
"name": "CVE-2009-0014",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0014"
},
{
"name": "CVE-2009-0009",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0009"
},
{
"name": "CVE-2009-0137",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0137"
},
{
"name": "CVE-2008-2360",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2360"
},
{
"name": "CVE-2009-0142",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0142"
},
{
"name": "CVE-2007-4965",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-4965"
},
{
"name": "CVE-2009-0011",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0011"
},
{
"name": "CVE-2008-5314",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5314"
},
{
"name": "CVE-2008-1807",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1807"
},
{
"name": "CVE-2008-1887",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1887"
},
{
"name": "CVE-2008-1377",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1377"
},
{
"name": "CVE-2007-1351",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-1351"
},
{
"name": "CVE-2008-2315",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2315"
},
{
"name": "CVE-2009-0013",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0013"
},
{
"name": "CVE-2009-0017",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0017"
},
{
"name": "CVE-2006-3467",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-3467"
},
{
"name": "CVE-2008-1806",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1806"
}
],
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT3438 du 12 f\u00e9vrier 2009 :",
"url": "http://support.apple.com/kb/HT3438"
}
],
"reference": "CERTA-2009-AVI-068",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2009-02-13T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le syst\u00e8me Mac OS X\nd\u0027Apple. L\u0027exploitation de ces vuln\u00e9rabilit\u00e9s permet un grand nombre\nd\u0027actions, dont l\u0027ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple Mac OS X",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple 2009-001 du 12 f\u00e9vrier 2009",
"url": null
}
]
}
CERTA-2008-AVI-529
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité dans SquirrelMail permet l'interception de cookie de session en clair.
Description
SquirrelMail ne positionne pas correctement l'indicateur (flag) Secure pour les cookies de session https, ce qui les rend vulnérables à une interception.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Les versions antérieures à la 1.4.16.
Impacted products
| Vendor | Product | Description |
|---|
References
| Title | Publication Time | Tags | |
|---|---|---|---|
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [],
"affected_systems_content": "\u003cp\u003eLes versions ant\u00e9rieures \u00e0 la 1.4.16.\u003c/p\u003e",
"content": "## Description\n\nSquirrelMail ne positionne pas correctement l\u0027indicateur (flag) Secure\npour les cookies de session https, ce qui les rend vuln\u00e9rables \u00e0 une\ninterception.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2008-3663",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
}
],
"links": [
{
"title": "Bulletin de mise \u00e0 jour Squirrel 1.4.16 du 28 septembre 2008 :",
"url": "http://www.squirrelmail.org/index.php"
}
],
"reference": "CERTA-2008-AVI-529",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2008-10-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 dans SquirrelMail permet l\u0027interception de \u003cspan\nclass=\"textit\"\u003ecookie\u003c/span\u003e de session en clair.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans SquirrelMail",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de mise \u00e0 jour SquirrelMail 1.4.16 du 28 septembre 2008",
"url": null
}
]
}
CERTA-2009-AVI-068
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans le système Mac OS X d'Apple. L'exploitation de ces vulnérabilités permet un grand nombre d'actions, dont l'exécution de code arbitraire à distance.
Description
Apple vient de publier des mises à jour pour son système d'exploitation Mac OS X. Ces correctifs concernent la mise à jour de plusieurs applicatifs :
- AFP Server ;
- Apple Pixlet Video ;
- Carbon Core ;
- CFNetwork ;
- Certificate Assistant ;
- ClamAV ;
- CoreText ;
- CUPS ;
- DS Tools ;
- fetchmail ;
- Folder Manager ;
- FSEvents ;
- Network Time ;
- perl ;
- Printing ;
- python ;
- Remote Apple Events ;
- Safari RSS ;
- servermgrd ;
- SMB ;
- SquirrelMail ;
- X11 ;
- Xterm.
L'exploitation des différentes vulnérabilités permet d'effectuer un grand nombre d'actions malveillantes, dont l'exécution de code arbitraire à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Mac OS X versions 10.5.6 et ant\u00e9rieures ;",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
},
{
"description": "Mac OS X versions 10.4.11 et ant\u00e9rieures.",
"product": {
"name": "N/A",
"vendor": {
"name": "Apple",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Description\n\nApple vient de publier des mises \u00e0 jour pour son syst\u00e8me d\u0027exploitation\nMac OS X. Ces correctifs concernent la mise \u00e0 jour de plusieurs\napplicatifs :\n\n- AFP Server ;\n- Apple Pixlet Video ;\n- Carbon Core ;\n- CFNetwork ;\n- Certificate Assistant ;\n- ClamAV ;\n- CoreText ;\n- CUPS ;\n- DS Tools ;\n- fetchmail ;\n- Folder Manager ;\n- FSEvents ;\n- Network Time ;\n- perl ;\n- Printing ;\n- python ;\n- Remote Apple Events ;\n- Safari RSS ;\n- servermgrd ;\n- SMB ;\n- SquirrelMail ;\n- X11 ;\n- Xterm.\n\nL\u0027exploitation des diff\u00e9rentes vuln\u00e9rabilit\u00e9s permet d\u0027effectuer un\ngrand nombre d\u0027actions malveillantes, dont l\u0027ex\u00e9cution de code\narbitraire \u00e0 distance.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2008-2316",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2316"
},
{
"name": "CVE-2008-2361",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2361"
},
{
"name": "CVE-2008-2379",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
},
{
"name": "CVE-2008-1808",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1808"
},
{
"name": "CVE-2009-0020",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0020"
},
{
"name": "CVE-2009-0012",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0012"
},
{
"name": "CVE-2008-3663",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
},
{
"name": "CVE-2009-0141",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0141"
},
{
"name": "CVE-2008-3142",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3142"
},
{
"name": "CVE-2007-4565",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-4565"
},
{
"name": "CVE-2007-1352",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-1352"
},
{
"name": "CVE-2009-0139",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0139"
},
{
"name": "CVE-2008-4864",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-4864"
},
{
"name": "CVE-2009-0019",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0019"
},
{
"name": "CVE-2008-1679",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1679"
},
{
"name": "CVE-2008-2711",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2711"
},
{
"name": "CVE-2008-3144",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3144"
},
{
"name": "CVE-2008-2362",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2362"
},
{
"name": "CVE-2009-0018",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0018"
},
{
"name": "CVE-2009-0140",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0140"
},
{
"name": "CVE-2009-0015",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0015"
},
{
"name": "CVE-2008-1379",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1379"
},
{
"name": "CVE-2008-5031",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5031"
},
{
"name": "CVE-2008-1721",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1721"
},
{
"name": "CVE-2008-5050",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5050"
},
{
"name": "CVE-2006-1861",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-1861"
},
{
"name": "CVE-2008-1927",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1927"
},
{
"name": "CVE-2007-1667",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-1667"
},
{
"name": "CVE-2008-5183",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5183"
},
{
"name": "CVE-2009-0138",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0138"
},
{
"name": "CVE-2009-0014",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0014"
},
{
"name": "CVE-2009-0009",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0009"
},
{
"name": "CVE-2009-0137",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0137"
},
{
"name": "CVE-2008-2360",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2360"
},
{
"name": "CVE-2009-0142",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0142"
},
{
"name": "CVE-2007-4965",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-4965"
},
{
"name": "CVE-2009-0011",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0011"
},
{
"name": "CVE-2008-5314",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-5314"
},
{
"name": "CVE-2008-1807",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1807"
},
{
"name": "CVE-2008-1887",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1887"
},
{
"name": "CVE-2008-1377",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1377"
},
{
"name": "CVE-2007-1351",
"url": "https://www.cve.org/CVERecord?id=CVE-2007-1351"
},
{
"name": "CVE-2008-2315",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2315"
},
{
"name": "CVE-2009-0013",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0013"
},
{
"name": "CVE-2009-0017",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-0017"
},
{
"name": "CVE-2006-3467",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-3467"
},
{
"name": "CVE-2008-1806",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-1806"
}
],
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Apple HT3438 du 12 f\u00e9vrier 2009 :",
"url": "http://support.apple.com/kb/HT3438"
}
],
"reference": "CERTA-2009-AVI-068",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2009-02-13T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le syst\u00e8me Mac OS X\nd\u0027Apple. L\u0027exploitation de ces vuln\u00e9rabilit\u00e9s permet un grand nombre\nd\u0027actions, dont l\u0027ex\u00e9cution de code arbitraire \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple Mac OS X",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apple 2009-001 du 12 f\u00e9vrier 2009",
"url": null
}
]
}
FKIE_CVE-2008-3663
Vulnerability from fkie_nvd - Published: 2008-09-24 14:56 - Updated: 2026-04-23 00:35
Severity
Summary
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| squirrelmail | squirrelmail | 1.4.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "0986D113-C9F9-4645-8968-D165EC6B917D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
},
{
"lang": "es",
"value": "Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesi\u00f3n en una sesi\u00f3n https, lo que podr\u00eda provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie."
}
],
"id": "CVE-2008-3663",
"lastModified": "2026-04-23T00:35:47.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-09-24T14:56:52.537",
"references": [
{
"source": "cve@mitre.org",
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/33937"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/4304"
},
{
"source": "cve@mitre.org",
"url": "http://support.apple.com/kb/HT3438"
},
{
"source": "cve@mitre.org",
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31321"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"source": "cve@mitre.org",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/33937"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4304"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://support.apple.com/kb/HT3438"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
}
],
"sourceIdentifier": "cve@mitre.org",
"vendorComments": [
{
"comment": "This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html",
"lastModified": "2009-01-12T00:00:00",
"organization": "Red Hat"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-V6VW-6GWH-PPRH
Vulnerability from github – Published: 2022-05-02 00:02 – Updated: 2022-05-02 00:02
VLAI
Details
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
{
"affected": [],
"aliases": [
"CVE-2008-3663"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-09-24T14:56:00Z",
"severity": "MODERATE"
},
"details": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
"id": "GHSA-v6vw-6gwh-pprh",
"modified": "2022-05-02T00:02:29Z",
"published": "2022-05-02T00:02:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
},
{
"type": "WEB",
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/33937"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/4304"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT3438"
},
{
"type": "WEB",
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/31321"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2008-3663
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2008-3663",
"description": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
"id": "GSD-2008-3663",
"references": [
"https://www.suse.com/security/cve/CVE-2008-3663.html",
"https://access.redhat.com/errata/RHSA-2009:0010",
"https://linux.oracle.com/cve/CVE-2008-3663.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2008-3663"
],
"details": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
"id": "GSD-2008-3663",
"modified": "2023-12-13T01:23:05.895043Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html",
"refsource": "CONFIRM",
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"name": "33937",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/33937"
},
{
"name": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html",
"refsource": "MISC",
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"name": "31321",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31321"
},
{
"name": "http://support.apple.com/kb/HT3438",
"refsource": "CONFIRM",
"url": "http://support.apple.com/kb/HT3438"
},
{
"name": "4304",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4304"
},
{
"name": "APPLE-SA-2009-02-12",
"refsource": "APPLE",
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
},
{
"name": "squirrelmail-cookie-session-hijacking(45700)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"name": "SUSE-SR:2009:004",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"name": "SUSE-SR:2008:028",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"name": "oval:org.mitre.oval:def:10548",
"refsource": "OVAL",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3663"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html",
"refsource": "MISC",
"tags": [],
"url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
},
{
"name": "31321",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/31321"
},
{
"name": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
},
{
"name": "SUSE-SR:2008:028",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
},
{
"name": "4304",
"refsource": "SREASON",
"tags": [],
"url": "http://securityreason.com/securityalert/4304"
},
{
"name": "APPLE-SA-2009-02-12",
"refsource": "APPLE",
"tags": [],
"url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
},
{
"name": "SUSE-SR:2009:004",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
},
{
"name": "33937",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/33937"
},
{
"name": "http://support.apple.com/kb/HT3438",
"refsource": "CONFIRM",
"tags": [],
"url": "http://support.apple.com/kb/HT3438"
},
{
"name": "squirrelmail-cookie-session-hijacking(45700)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
},
{
"name": "oval:org.mitre.oval:def:10548",
"refsource": "OVAL",
"tags": [],
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
},
{
"name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
"refsource": "BUGTRAQ",
"tags": [],
"url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2018-10-11T20:49Z",
"publishedDate": "2008-09-24T14:56Z"
}
}
}
RHSA-2009:0010
Vulnerability from csaf_redhat - Published: 2009-01-12 14:24 - Updated: 2025-11-21 17:34Summary
Red Hat Security Advisory: squirrelmail security update
Severity
Moderate
Notes
Topic: An updated squirrelmail package that resolves various security issues is
now available for Red Hat Enterprise Linux 3, 4 and 5.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
Details: SquirrelMail is an easy-to-configure, standards-based, webmail package
written in PHP. It includes built-in PHP support for the IMAP and SMTP
protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)
for maximum browser-compatibility, strong MIME support, address books, and
folder manipulation.
Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail
caused by insufficient HTML mail sanitization. A remote attacker could send
a specially-crafted HTML mail or attachment that could cause a user's Web
browser to execute a malicious script in the context of the SquirrelMail
session when that email or attachment was opened by the user.
(CVE-2008-2379)
It was discovered that SquirrelMail allowed cookies over insecure
connections (ie did not restrict cookies to HTTPS connections). An attacker
who controlled the communication channel between a user and the
SquirrelMail server, or who was able to sniff the user's network
communication, could use this flaw to obtain the user's session cookie, if
a user made an HTTP request to the server. (CVE-2008-3663)
Note: After applying this update, all session cookies set for SquirrelMail
sessions started over HTTPS connections will have the "secure" flag set.
That is, browsers will only send such cookies over an HTTPS connection. If
needed, you can revert to the previous behavior by setting the
configuration option "$only_secure_cookies" to "false" in SquirrelMail's
/etc/squirrelmail/config.php configuration file.
Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Affected products
Fixed
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated squirrelmail package that resolves various security issues is\nnow available for Red Hat Enterprise Linux 3, 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red\nHat Security Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "SquirrelMail is an easy-to-configure, standards-based, webmail package\nwritten in PHP. It includes built-in PHP support for the IMAP and SMTP\nprotocols, and pure HTML 4.0 page-rendering (with no JavaScript required)\nfor maximum browser-compatibility, strong MIME support, address books, and\nfolder manipulation.\n\nIvan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail\ncaused by insufficient HTML mail sanitization. A remote attacker could send\na specially-crafted HTML mail or attachment that could cause a user\u0027s Web\nbrowser to execute a malicious script in the context of the SquirrelMail\nsession when that email or attachment was opened by the user.\n(CVE-2008-2379)\n\nIt was discovered that SquirrelMail allowed cookies over insecure\nconnections (ie did not restrict cookies to HTTPS connections). An attacker\nwho controlled the communication channel between a user and the\nSquirrelMail server, or who was able to sniff the user\u0027s network\ncommunication, could use this flaw to obtain the user\u0027s session cookie, if\na user made an HTTP request to the server. (CVE-2008-3663)\n\nNote: After applying this update, all session cookies set for SquirrelMail\nsessions started over HTTPS connections will have the \"secure\" flag set.\nThat is, browsers will only send such cookies over an HTTPS connection. If\nneeded, you can revert to the previous behavior by setting the\nconfiguration option \"$only_secure_cookies\" to \"false\" in SquirrelMail\u0027s\n/etc/squirrelmail/config.php configuration file.\n\nUsers of squirrelmail should upgrade to this updated package, which\ncontains backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2009:0010",
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2008-09-28",
"url": "http://www.squirrelmail.org/security/issue/2008-09-28"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2008-12-04",
"url": "http://www.squirrelmail.org/security/issue/2008-12-04"
},
{
"category": "external",
"summary": "464183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
},
{
"category": "external",
"summary": "473877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0010.json"
}
],
"title": "Red Hat Security Advisory: squirrelmail security update",
"tracking": {
"current_release_date": "2025-11-21T17:34:09+00:00",
"generator": {
"date": "2025-11-21T17:34:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2009:0010",
"initial_release_date": "2009-01-12T14:24:00+00:00",
"revision_history": [
{
"date": "2009-01-12T14:24:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2009-01-12T09:26:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:34:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 4",
"product": {
"name": "Red Hat Enterprise Linux AS version 4",
"product_id": "4AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop version 4",
"product": {
"name": "Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 4",
"product": {
"name": "Red Hat Enterprise Linux ES version 4",
"product_id": "4ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 4",
"product": {
"name": "Red Hat Enterprise Linux WS version 4",
"product_id": "4WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::ws"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 3",
"product": {
"name": "Red Hat Enterprise Linux AS version 3",
"product_id": "3AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Desktop version 3",
"product": {
"name": "Red Hat Desktop version 3",
"product_id": "3Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 3",
"product": {
"name": "Red Hat Enterprise Linux ES version 3",
"product_id": "3ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 3",
"product": {
"name": "Red Hat Enterprise Linux WS version 3",
"product_id": "3WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::ws"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product_id": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product_id": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-8.el3.src",
"product": {
"name": "squirrelmail-0:1.4.8-8.el3.src",
"product_id": "squirrelmail-0:1.4.8-8.el3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-8.el3.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch",
"product_id": "squirrelmail-0:1.4.8-8.el3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"relates_to_product_reference": "5Server"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2008-2379",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2008-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "473877"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "squirrelmail: XSS issue caused by an insufficient html mail sanitation",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-2379"
},
{
"category": "external",
"summary": "RHBZ#473877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-2379",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379"
}
],
"release_date": "2008-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-12T14:24:00+00:00",
"details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "squirrelmail: XSS issue caused by an insufficient html mail sanitation"
},
{
"cve": "CVE-2008-3663",
"discovery_date": "2008-09-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "464183"
}
],
"notes": [
{
"category": "description",
"text": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-3663"
},
{
"category": "external",
"summary": "RHBZ#464183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-3663",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663"
}
],
"release_date": "2008-08-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-12T14:24:00+00:00",
"details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies"
}
]
}
RHSA-2009_0010
Vulnerability from csaf_redhat - Published: 2009-01-12 14:24 - Updated: 2024-11-22 02:23Summary
Red Hat Security Advisory: squirrelmail security update
Severity
Moderate
Notes
Topic: An updated squirrelmail package that resolves various security issues is
now available for Red Hat Enterprise Linux 3, 4 and 5.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
Details: SquirrelMail is an easy-to-configure, standards-based, webmail package
written in PHP. It includes built-in PHP support for the IMAP and SMTP
protocols, and pure HTML 4.0 page-rendering (with no JavaScript required)
for maximum browser-compatibility, strong MIME support, address books, and
folder manipulation.
Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail
caused by insufficient HTML mail sanitization. A remote attacker could send
a specially-crafted HTML mail or attachment that could cause a user's Web
browser to execute a malicious script in the context of the SquirrelMail
session when that email or attachment was opened by the user.
(CVE-2008-2379)
It was discovered that SquirrelMail allowed cookies over insecure
connections (ie did not restrict cookies to HTTPS connections). An attacker
who controlled the communication channel between a user and the
SquirrelMail server, or who was able to sniff the user's network
communication, could use this flaw to obtain the user's session cookie, if
a user made an HTTP request to the server. (CVE-2008-3663)
Note: After applying this update, all session cookies set for SquirrelMail
sessions started over HTTPS connections will have the "secure" flag set.
That is, browsers will only send such cookies over an HTTPS connection. If
needed, you can revert to the previous behavior by setting the
configuration option "$only_secure_cookies" to "false" in SquirrelMail's
/etc/squirrelmail/config.php configuration file.
Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected products
Fixed
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Affected products
Fixed
20 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3AS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3Desktop:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3ES:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 3WS:squirrelmail-0:1.4.8-8.el3.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4WS:squirrelmail-0:1.4.8-5.el4_7.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server:squirrelmail-0:1.4.8-5.el5_2.2.src | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated squirrelmail package that resolves various security issues is\nnow available for Red Hat Enterprise Linux 3, 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red\nHat Security Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "SquirrelMail is an easy-to-configure, standards-based, webmail package\nwritten in PHP. It includes built-in PHP support for the IMAP and SMTP\nprotocols, and pure HTML 4.0 page-rendering (with no JavaScript required)\nfor maximum browser-compatibility, strong MIME support, address books, and\nfolder manipulation.\n\nIvan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail\ncaused by insufficient HTML mail sanitization. A remote attacker could send\na specially-crafted HTML mail or attachment that could cause a user\u0027s Web\nbrowser to execute a malicious script in the context of the SquirrelMail\nsession when that email or attachment was opened by the user.\n(CVE-2008-2379)\n\nIt was discovered that SquirrelMail allowed cookies over insecure\nconnections (ie did not restrict cookies to HTTPS connections). An attacker\nwho controlled the communication channel between a user and the\nSquirrelMail server, or who was able to sniff the user\u0027s network\ncommunication, could use this flaw to obtain the user\u0027s session cookie, if\na user made an HTTP request to the server. (CVE-2008-3663)\n\nNote: After applying this update, all session cookies set for SquirrelMail\nsessions started over HTTPS connections will have the \"secure\" flag set.\nThat is, browsers will only send such cookies over an HTTPS connection. If\nneeded, you can revert to the previous behavior by setting the\nconfiguration option \"$only_secure_cookies\" to \"false\" in SquirrelMail\u0027s\n/etc/squirrelmail/config.php configuration file.\n\nUsers of squirrelmail should upgrade to this updated package, which\ncontains backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2009:0010",
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2008-09-28",
"url": "http://www.squirrelmail.org/security/issue/2008-09-28"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2008-12-04",
"url": "http://www.squirrelmail.org/security/issue/2008-12-04"
},
{
"category": "external",
"summary": "464183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
},
{
"category": "external",
"summary": "473877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0010.json"
}
],
"title": "Red Hat Security Advisory: squirrelmail security update",
"tracking": {
"current_release_date": "2024-11-22T02:23:48+00:00",
"generator": {
"date": "2024-11-22T02:23:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2009:0010",
"initial_release_date": "2009-01-12T14:24:00+00:00",
"revision_history": [
{
"date": "2009-01-12T14:24:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2009-01-12T09:26:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T02:23:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 4",
"product": {
"name": "Red Hat Enterprise Linux AS version 4",
"product_id": "4AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop version 4",
"product": {
"name": "Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 4",
"product": {
"name": "Red Hat Enterprise Linux ES version 4",
"product_id": "4ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 4",
"product": {
"name": "Red Hat Enterprise Linux WS version 4",
"product_id": "4WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::ws"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 3",
"product": {
"name": "Red Hat Enterprise Linux AS version 3",
"product_id": "3AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Desktop version 3",
"product": {
"name": "Red Hat Desktop version 3",
"product_id": "3Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 3",
"product": {
"name": "Red Hat Enterprise Linux ES version 3",
"product_id": "3ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 3",
"product": {
"name": "Red Hat Enterprise Linux WS version 3",
"product_id": "3WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::ws"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product_id": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product_id": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-8.el3.src",
"product": {
"name": "squirrelmail-0:1.4.8-8.el3.src",
"product_id": "squirrelmail-0:1.4.8-8.el3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-8.el3.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch",
"product_id": "squirrelmail-0:1.4.8-8.el3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-8.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-8.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-8.el3.src",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
"relates_to_product_reference": "5Server"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2008-2379",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2008-11-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "473877"
}
],
"notes": [
{
"category": "description",
"text": "Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "squirrelmail: XSS issue caused by an insufficient html mail sanitation",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-2379"
},
{
"category": "external",
"summary": "RHBZ#473877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-2379",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379"
}
],
"release_date": "2008-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-12T14:24:00+00:00",
"details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "squirrelmail: XSS issue caused by an insufficient html mail sanitation"
},
{
"cve": "CVE-2008-3663",
"discovery_date": "2008-09-24T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "464183"
}
],
"notes": [
{
"category": "description",
"text": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies",
"title": "Vulnerability summary"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2008-3663"
},
{
"category": "external",
"summary": "RHBZ#464183",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2008-3663",
"url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663"
}
],
"release_date": "2008-08-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-01-12T14:24:00+00:00",
"details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-8.el3.noarch",
"3AS:squirrelmail-0:1.4.8-8.el3.src",
"3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-8.el3.src",
"3ES:squirrelmail-0:1.4.8-8.el3.noarch",
"3ES:squirrelmail-0:1.4.8-8.el3.src",
"3WS:squirrelmail-0:1.4.8-8.el3.noarch",
"3WS:squirrelmail-0:1.4.8-8.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:0010"
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…