cvelistv5 - cve-2008-3663

CVE-2008-3663 (GCVE-0-2008-3663)

Vulnerability from cvelistv5 – Published: 2008-09-24 14:00 – Updated: 2024-08-07 09:45

Summary

Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.…	x_refsource_CONFIRM
	http://secunia.com/advisories/33937	third-party-advisoryx_refsource_SECUNIA
	http://int21.de/cve/CVE-2008-3663-squirrelmail.html	x_refsource_MISC
	http://www.securityfocus.com/bid/31321	vdb-entryx_refsource_BID
	http://support.apple.com/kb/HT3438	x_refsource_CONFIRM
	http://securityreason.com/securityalert/4304	third-party-advisoryx_refsource_SREASON
	http://lists.apple.com/archives/security-announce…	vendor-advisoryx_refsource_APPLE
	http://www.securityfocus.com/archive/1/496601/100…	mailing-listx_refsource_BUGTRAQ
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://oval.cisecurity.org/repository/search/def…	vdb-entrysignaturex_refsource_OVAL

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T09:45:19.086Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
          },
          {
            "name": "33937",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/33937"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
          },
          {
            "name": "31321",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/31321"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.apple.com/kb/HT3438"
          },
          {
            "name": "4304",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/4304"
          },
          {
            "name": "APPLE-SA-2009-02-12",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
          },
          {
            "name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
          },
          {
            "name": "squirrelmail-cookie-session-hijacking(45700)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
          },
          {
            "name": "SUSE-SR:2009:004",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
          },
          {
            "name": "SUSE-SR:2008:028",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
          },
          {
            "name": "oval:org.mitre.oval:def:10548",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-09-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-11T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
        },
        {
          "name": "33937",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/33937"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
        },
        {
          "name": "31321",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/31321"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.apple.com/kb/HT3438"
        },
        {
          "name": "4304",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/4304"
        },
        {
          "name": "APPLE-SA-2009-02-12",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
        },
        {
          "name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
        },
        {
          "name": "squirrelmail-cookie-session-hijacking(45700)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
        },
        {
          "name": "SUSE-SR:2009:004",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
        },
        {
          "name": "SUSE-SR:2008:028",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
        },
        {
          "name": "oval:org.mitre.oval:def:10548",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-3663",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html",
              "refsource": "CONFIRM",
              "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
            },
            {
              "name": "33937",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/33937"
            },
            {
              "name": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html",
              "refsource": "MISC",
              "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
            },
            {
              "name": "31321",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/31321"
            },
            {
              "name": "http://support.apple.com/kb/HT3438",
              "refsource": "CONFIRM",
              "url": "http://support.apple.com/kb/HT3438"
            },
            {
              "name": "4304",
              "refsource": "SREASON",
              "url": "http://securityreason.com/securityalert/4304"
            },
            {
              "name": "APPLE-SA-2009-02-12",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
            },
            {
              "name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
            },
            {
              "name": "squirrelmail-cookie-session-hijacking(45700)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
            },
            {
              "name": "SUSE-SR:2009:004",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
            },
            {
              "name": "SUSE-SR:2008:028",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
            },
            {
              "name": "oval:org.mitre.oval:def:10548",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2008-3663",
    "datePublished": "2008-09-24T14:00:00",
    "dateReserved": "2008-08-12T00:00:00",
    "dateUpdated": "2024-08-07T09:45:19.086Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0986D113-C9F9-4645-8968-D165EC6B917D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.\"}, {\"lang\": \"es\", \"value\": \"Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesi\\u00f3n en una sesi\\u00f3n https, lo que podr\\u00eda provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie.\"}]",
      "id": "CVE-2008-3663",
      "lastModified": "2024-11-21T00:49:49.200",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2008-09-24T14:56:52.537",
      "references": "[{\"url\": \"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/33937\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://securityreason.com/securityalert/4304\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://support.apple.com/kb/HT3438\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/archive/1/496601/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/31321\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/33937\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://securityreason.com/securityalert/4304\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://support.apple.com/kb/HT3438\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/496601/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/31321\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vendorComments": "[{\"organization\": \"Red Hat\", \"comment\": \"This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html\", \"lastModified\": \"2009-01-12T00:00:00\"}]",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-310\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2008-3663\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2008-09-24T14:56:52.537\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.\"},{\"lang\":\"es\",\"value\":\"Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesi\u00f3n en una sesi\u00f3n https, lo que podr\u00eda provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0986D113-C9F9-4645-8968-D165EC6B917D\"}]}]}],\"references\":[{\"url\":\"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/33937\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securityreason.com/securityalert/4304\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://support.apple.com/kb/HT3438\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/496601/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/31321\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://int21.de/cve/CVE-2008-3663-squirrelmail.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/33937\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securityreason.com/securityalert/4304\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://support.apple.com/kb/HT3438\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/496601/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/31321\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/45700\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Red Hat\",\"comment\":\"This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html\",\"lastModified\":\"2009-01-12T00:00:00\"}]}}"
  }
}

CERTA-2008-AVI-529

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité dans SquirrelMail permet l'interception de cookie de session en clair.

Description

SquirrelMail ne positionne pas correctement l'indicateur (flag) Secure pour les cookies de session https, ce qui les rend vulnérables à une interception.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Les versions antérieures à la 1.4.16.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de mise à jour SquirrelMail 1.4.16 du 28 septembre 2008	None	vendor-advisory
Bulletin de mise à jour Squirrel 1.4.16 du 28 septembre 2008 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eLes versions ant\u00e9rieures \u00e0 la 1.4.16.\u003c/p\u003e",
  "content": "## Description\n\nSquirrelMail ne positionne pas correctement l\u0027indicateur (flag) Secure\npour les cookies de session https, ce qui les rend vuln\u00e9rables \u00e0 une\ninterception.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2008-3663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
    }
  ],
  "links": [
    {
      "title": "Bulletin de mise \u00e0 jour Squirrel 1.4.16 du 28 septembre    2008 :",
      "url": "http://www.squirrelmail.org/index.php"
    }
  ],
  "reference": "CERTA-2008-AVI-529",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2008-10-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans SquirrelMail permet l\u0027interception de \u003cspan\nclass=\"textit\"\u003ecookie\u003c/span\u003e de session en clair.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans SquirrelMail",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de mise \u00e0 jour SquirrelMail 1.4.16 du 28 septembre 2008",
      "url": null
    }
  ]
}

CERTA-2009-AVI-068

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans le système Mac OS X d'Apple. L'exploitation de ces vulnérabilités permet un grand nombre d'actions, dont l'exécution de code arbitraire à distance.

Description

Apple vient de publier des mises à jour pour son système d'exploitation Mac OS X. Ces correctifs concernent la mise à jour de plusieurs applicatifs :

AFP Server ;
Apple Pixlet Video ;
Carbon Core ;
CFNetwork ;
Certificate Assistant ;
ClamAV ;
CoreText ;
CUPS ;
DS Tools ;
fetchmail ;
Folder Manager ;
FSEvents ;
Network Time ;
perl ;
Printing ;
python ;
Remote Apple Events ;
Safari RSS ;
servermgrd ;
SMB ;
SquirrelMail ;
X11 ;
Xterm.

L'exploitation des différentes vulnérabilités permet d'effectuer un grand nombre d'actions malveillantes, dont l'exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Apple	N/A	Mac OS X versions 10.5.6 et antérieures ;
	Apple	N/A	Mac OS X versions 10.4.11 et antérieures.

References

Title

Publication Time

Tags

Bulletin de sécurité Apple 2009-001 du 12 février 2009	None	vendor-advisory
Bulletin de sécurité Apple HT3438 du 12 février 2009 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Mac OS X versions 10.5.6 et ant\u00e9rieures ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Mac OS X versions 10.4.11 et ant\u00e9rieures.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nApple vient de publier des mises \u00e0 jour pour son syst\u00e8me d\u0027exploitation\nMac OS X. Ces correctifs concernent la mise \u00e0 jour de plusieurs\napplicatifs :\n\n-   AFP Server ;\n-   Apple Pixlet Video ;\n-   Carbon Core ;\n-   CFNetwork ;\n-   Certificate Assistant ;\n-   ClamAV ;\n-   CoreText ;\n-   CUPS ;\n-   DS Tools ;\n-   fetchmail ;\n-   Folder Manager ;\n-   FSEvents ;\n-   Network Time ;\n-   perl ;\n-   Printing ;\n-   python ;\n-   Remote Apple Events ;\n-   Safari RSS ;\n-   servermgrd ;\n-   SMB ;\n-   SquirrelMail ;\n-   X11 ;\n-   Xterm.\n\nL\u0027exploitation des diff\u00e9rentes vuln\u00e9rabilit\u00e9s permet d\u0027effectuer un\ngrand nombre d\u0027actions malveillantes, dont l\u0027ex\u00e9cution de code\narbitraire \u00e0 distance.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2008-2316",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2316"
    },
    {
      "name": "CVE-2008-2361",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2361"
    },
    {
      "name": "CVE-2008-2379",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
    },
    {
      "name": "CVE-2008-1808",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1808"
    },
    {
      "name": "CVE-2009-0020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0020"
    },
    {
      "name": "CVE-2009-0012",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0012"
    },
    {
      "name": "CVE-2008-3663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
    },
    {
      "name": "CVE-2009-0141",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0141"
    },
    {
      "name": "CVE-2008-3142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3142"
    },
    {
      "name": "CVE-2007-4565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-4565"
    },
    {
      "name": "CVE-2007-1352",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1352"
    },
    {
      "name": "CVE-2009-0139",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0139"
    },
    {
      "name": "CVE-2008-4864",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-4864"
    },
    {
      "name": "CVE-2009-0019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0019"
    },
    {
      "name": "CVE-2008-1679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1679"
    },
    {
      "name": "CVE-2008-2711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2711"
    },
    {
      "name": "CVE-2008-3144",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3144"
    },
    {
      "name": "CVE-2008-2362",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2362"
    },
    {
      "name": "CVE-2009-0018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0018"
    },
    {
      "name": "CVE-2009-0140",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0140"
    },
    {
      "name": "CVE-2009-0015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0015"
    },
    {
      "name": "CVE-2008-1379",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1379"
    },
    {
      "name": "CVE-2008-5031",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5031"
    },
    {
      "name": "CVE-2008-1721",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1721"
    },
    {
      "name": "CVE-2008-5050",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5050"
    },
    {
      "name": "CVE-2006-1861",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-1861"
    },
    {
      "name": "CVE-2008-1927",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1927"
    },
    {
      "name": "CVE-2007-1667",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1667"
    },
    {
      "name": "CVE-2008-5183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5183"
    },
    {
      "name": "CVE-2009-0138",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0138"
    },
    {
      "name": "CVE-2009-0014",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0014"
    },
    {
      "name": "CVE-2009-0009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0009"
    },
    {
      "name": "CVE-2009-0137",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0137"
    },
    {
      "name": "CVE-2008-2360",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2360"
    },
    {
      "name": "CVE-2009-0142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0142"
    },
    {
      "name": "CVE-2007-4965",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-4965"
    },
    {
      "name": "CVE-2009-0011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0011"
    },
    {
      "name": "CVE-2008-5314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5314"
    },
    {
      "name": "CVE-2008-1807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1807"
    },
    {
      "name": "CVE-2008-1887",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1887"
    },
    {
      "name": "CVE-2008-1377",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1377"
    },
    {
      "name": "CVE-2007-1351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1351"
    },
    {
      "name": "CVE-2008-2315",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2315"
    },
    {
      "name": "CVE-2009-0013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0013"
    },
    {
      "name": "CVE-2009-0017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0017"
    },
    {
      "name": "CVE-2006-3467",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-3467"
    },
    {
      "name": "CVE-2008-1806",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1806"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT3438 du 12 f\u00e9vrier 2009 :",
      "url": "http://support.apple.com/kb/HT3438"
    }
  ],
  "reference": "CERTA-2009-AVI-068",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2009-02-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le syst\u00e8me Mac OS X\nd\u0027Apple. L\u0027exploitation de ces vuln\u00e9rabilit\u00e9s permet un grand nombre\nd\u0027actions, dont l\u0027ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple Mac OS X",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple 2009-001 du 12 f\u00e9vrier 2009",
      "url": null
    }
  ]
}

CERTA-2009-AVI-068

Vulnerability from certfr_avis - Published: - Updated:

Description

Apple vient de publier des mises à jour pour son système d'exploitation Mac OS X. Ces correctifs concernent la mise à jour de plusieurs applicatifs :

AFP Server ;
Apple Pixlet Video ;
Carbon Core ;
CFNetwork ;
Certificate Assistant ;
ClamAV ;
CoreText ;
CUPS ;
DS Tools ;
fetchmail ;
Folder Manager ;
FSEvents ;
Network Time ;
perl ;
Printing ;
python ;
Remote Apple Events ;
Safari RSS ;
servermgrd ;
SMB ;
SquirrelMail ;
X11 ;
Xterm.

L'exploitation des différentes vulnérabilités permet d'effectuer un grand nombre d'actions malveillantes, dont l'exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Apple	N/A	Mac OS X versions 10.5.6 et antérieures ;
	Apple	N/A	Mac OS X versions 10.4.11 et antérieures.

References

Title

Publication Time

Tags

Bulletin de sécurité Apple 2009-001 du 12 février 2009	None	vendor-advisory
Bulletin de sécurité Apple HT3438 du 12 février 2009 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Mac OS X versions 10.5.6 et ant\u00e9rieures ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Mac OS X versions 10.4.11 et ant\u00e9rieures.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nApple vient de publier des mises \u00e0 jour pour son syst\u00e8me d\u0027exploitation\nMac OS X. Ces correctifs concernent la mise \u00e0 jour de plusieurs\napplicatifs :\n\n-   AFP Server ;\n-   Apple Pixlet Video ;\n-   Carbon Core ;\n-   CFNetwork ;\n-   Certificate Assistant ;\n-   ClamAV ;\n-   CoreText ;\n-   CUPS ;\n-   DS Tools ;\n-   fetchmail ;\n-   Folder Manager ;\n-   FSEvents ;\n-   Network Time ;\n-   perl ;\n-   Printing ;\n-   python ;\n-   Remote Apple Events ;\n-   Safari RSS ;\n-   servermgrd ;\n-   SMB ;\n-   SquirrelMail ;\n-   X11 ;\n-   Xterm.\n\nL\u0027exploitation des diff\u00e9rentes vuln\u00e9rabilit\u00e9s permet d\u0027effectuer un\ngrand nombre d\u0027actions malveillantes, dont l\u0027ex\u00e9cution de code\narbitraire \u00e0 distance.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2008-2316",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2316"
    },
    {
      "name": "CVE-2008-2361",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2361"
    },
    {
      "name": "CVE-2008-2379",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
    },
    {
      "name": "CVE-2008-1808",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1808"
    },
    {
      "name": "CVE-2009-0020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0020"
    },
    {
      "name": "CVE-2009-0012",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0012"
    },
    {
      "name": "CVE-2008-3663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
    },
    {
      "name": "CVE-2009-0141",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0141"
    },
    {
      "name": "CVE-2008-3142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3142"
    },
    {
      "name": "CVE-2007-4565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-4565"
    },
    {
      "name": "CVE-2007-1352",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1352"
    },
    {
      "name": "CVE-2009-0139",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0139"
    },
    {
      "name": "CVE-2008-4864",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-4864"
    },
    {
      "name": "CVE-2009-0019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0019"
    },
    {
      "name": "CVE-2008-1679",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1679"
    },
    {
      "name": "CVE-2008-2711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2711"
    },
    {
      "name": "CVE-2008-3144",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3144"
    },
    {
      "name": "CVE-2008-2362",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2362"
    },
    {
      "name": "CVE-2009-0018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0018"
    },
    {
      "name": "CVE-2009-0140",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0140"
    },
    {
      "name": "CVE-2009-0015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0015"
    },
    {
      "name": "CVE-2008-1379",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1379"
    },
    {
      "name": "CVE-2008-5031",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5031"
    },
    {
      "name": "CVE-2008-1721",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1721"
    },
    {
      "name": "CVE-2008-5050",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5050"
    },
    {
      "name": "CVE-2006-1861",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-1861"
    },
    {
      "name": "CVE-2008-1927",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1927"
    },
    {
      "name": "CVE-2007-1667",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1667"
    },
    {
      "name": "CVE-2008-5183",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5183"
    },
    {
      "name": "CVE-2009-0138",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0138"
    },
    {
      "name": "CVE-2009-0014",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0014"
    },
    {
      "name": "CVE-2009-0009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0009"
    },
    {
      "name": "CVE-2009-0137",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0137"
    },
    {
      "name": "CVE-2008-2360",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2360"
    },
    {
      "name": "CVE-2009-0142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0142"
    },
    {
      "name": "CVE-2007-4965",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-4965"
    },
    {
      "name": "CVE-2009-0011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0011"
    },
    {
      "name": "CVE-2008-5314",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-5314"
    },
    {
      "name": "CVE-2008-1807",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1807"
    },
    {
      "name": "CVE-2008-1887",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1887"
    },
    {
      "name": "CVE-2008-1377",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1377"
    },
    {
      "name": "CVE-2007-1351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1351"
    },
    {
      "name": "CVE-2008-2315",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-2315"
    },
    {
      "name": "CVE-2009-0013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0013"
    },
    {
      "name": "CVE-2009-0017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2009-0017"
    },
    {
      "name": "CVE-2006-3467",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-3467"
    },
    {
      "name": "CVE-2008-1806",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-1806"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Apple HT3438 du 12 f\u00e9vrier 2009 :",
      "url": "http://support.apple.com/kb/HT3438"
    }
  ],
  "reference": "CERTA-2009-AVI-068",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2009-02-13T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans le syst\u00e8me Mac OS X\nd\u0027Apple. L\u0027exploitation de ces vuln\u00e9rabilit\u00e9s permet un grand nombre\nd\u0027actions, dont l\u0027ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple Mac OS X",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Apple 2009-001 du 12 f\u00e9vrier 2009",
      "url": null
    }
  ]
}

CERTA-2008-AVI-529

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité dans SquirrelMail permet l'interception de cookie de session en clair.

Description

SquirrelMail ne positionne pas correctement l'indicateur (flag) Secure pour les cookies de session https, ce qui les rend vulnérables à une interception.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Les versions antérieures à la 1.4.16.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de mise à jour SquirrelMail 1.4.16 du 28 septembre 2008	None	vendor-advisory
Bulletin de mise à jour Squirrel 1.4.16 du 28 septembre 2008 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eLes versions ant\u00e9rieures \u00e0 la 1.4.16.\u003c/p\u003e",
  "content": "## Description\n\nSquirrelMail ne positionne pas correctement l\u0027indicateur (flag) Secure\npour les cookies de session https, ce qui les rend vuln\u00e9rables \u00e0 une\ninterception.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2008-3663",
      "url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
    }
  ],
  "links": [
    {
      "title": "Bulletin de mise \u00e0 jour Squirrel 1.4.16 du 28 septembre    2008 :",
      "url": "http://www.squirrelmail.org/index.php"
    }
  ],
  "reference": "CERTA-2008-AVI-529",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2008-10-27T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 dans SquirrelMail permet l\u0027interception de \u003cspan\nclass=\"textit\"\u003ecookie\u003c/span\u003e de session en clair.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans SquirrelMail",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de mise \u00e0 jour SquirrelMail 1.4.16 du 28 septembre 2008",
      "url": null
    }
  ]
}

RHSA-2009:0010

Vulnerability from csaf_redhat - Published: 2009-01-12 14:24 - Updated: 2025-11-21 17:34

Summary

Red Hat Security Advisory: squirrelmail security update

Notes

Topic

An updated squirrelmail package that resolves various security issues is now available for Red Hat Enterprise Linux 3, 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Details

SquirrelMail is an easy-to-configure, standards-based, webmail package written in PHP. It includes built-in PHP support for the IMAP and SMTP protocols, and pure HTML 4.0 page-rendering (with no JavaScript required) for maximum browser-compatibility, strong MIME support, address books, and folder manipulation. Ivan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail caused by insufficient HTML mail sanitization. A remote attacker could send a specially-crafted HTML mail or attachment that could cause a user's Web browser to execute a malicious script in the context of the SquirrelMail session when that email or attachment was opened by the user. (CVE-2008-2379) It was discovered that SquirrelMail allowed cookies over insecure connections (ie did not restrict cookies to HTTPS connections). An attacker who controlled the communication channel between a user and the SquirrelMail server, or who was able to sniff the user's network communication, could use this flaw to obtain the user's session cookie, if a user made an HTTP request to the server. (CVE-2008-3663) Note: After applying this update, all session cookies set for SquirrelMail sessions started over HTTPS connections will have the "secure" flag set. That is, browsers will only send such cookies over an HTTPS connection. If needed, you can revert to the previous behavior by setting the configuration option "$only_secure_cookies" to "false" in SquirrelMail's /etc/squirrelmail/config.php configuration file. Users of squirrelmail should upgrade to this updated package, which contains backported patches to correct these issues.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated squirrelmail package that resolves various security issues is\nnow available for Red Hat Enterprise Linux 3, 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red\nHat Security Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "SquirrelMail is an easy-to-configure, standards-based, webmail package\nwritten in PHP. It includes built-in PHP support for the IMAP and SMTP\nprotocols, and pure HTML 4.0 page-rendering (with no JavaScript required)\nfor maximum browser-compatibility, strong MIME support, address books, and\nfolder manipulation.\n\nIvan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail\ncaused by insufficient HTML mail sanitization. A remote attacker could send\na specially-crafted HTML mail or attachment that could cause a user\u0027s Web\nbrowser to execute a malicious script in the context of the SquirrelMail\nsession when that email or attachment was opened by the user.\n(CVE-2008-2379)\n\nIt was discovered that SquirrelMail allowed cookies over insecure\nconnections (ie did not restrict cookies to HTTPS connections). An attacker\nwho controlled the communication channel between a user and the\nSquirrelMail server, or who was able to sniff the user\u0027s network\ncommunication, could use this flaw to obtain the user\u0027s session cookie, if\na user made an HTTP request to the server. (CVE-2008-3663)\n\nNote: After applying this update, all session cookies set for SquirrelMail\nsessions started over HTTPS connections will have the \"secure\" flag set.\nThat is, browsers will only send such cookies over an HTTPS connection. If\nneeded, you can revert to the previous behavior by setting the\nconfiguration option \"$only_secure_cookies\" to \"false\" in SquirrelMail\u0027s\n/etc/squirrelmail/config.php configuration file.\n\nUsers of squirrelmail should upgrade to this updated package, which\ncontains backported patches to correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2009:0010",
        "url": "https://access.redhat.com/errata/RHSA-2009:0010"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "http://www.squirrelmail.org/security/issue/2008-09-28",
        "url": "http://www.squirrelmail.org/security/issue/2008-09-28"
      },
      {
        "category": "external",
        "summary": "http://www.squirrelmail.org/security/issue/2008-12-04",
        "url": "http://www.squirrelmail.org/security/issue/2008-12-04"
      },
      {
        "category": "external",
        "summary": "464183",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
      },
      {
        "category": "external",
        "summary": "473877",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0010.json"
      }
    ],
    "title": "Red Hat Security Advisory: squirrelmail security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:34:09+00:00",
      "generator": {
        "date": "2025-11-21T17:34:09+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2009:0010",
      "initial_release_date": "2009-01-12T14:24:00+00:00",
      "revision_history": [
        {
          "date": "2009-01-12T14:24:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2009-01-12T09:26:41+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:34:09+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                  "product_id": "5Client-Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux (v. 5 server)",
                "product": {
                  "name": "Red Hat Enterprise Linux (v. 5 server)",
                  "product_id": "5Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux AS version 4",
                  "product_id": "4AS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop version 4",
                  "product_id": "4Desktop",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::desktop"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ES version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux ES version 4",
                  "product_id": "4ES",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::es"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux WS version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux WS version 4",
                  "product_id": "4WS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::ws"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS version 3",
                "product": {
                  "name": "Red Hat Enterprise Linux AS version 3",
                  "product_id": "3AS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Desktop version 3",
                "product": {
                  "name": "Red Hat Desktop version 3",
                  "product_id": "3Desktop",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::desktop"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ES version 3",
                "product": {
                  "name": "Red Hat Enterprise Linux ES version 3",
                  "product_id": "3ES",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::es"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux WS version 3",
                "product": {
                  "name": "Red Hat Enterprise Linux WS version 3",
                  "product_id": "3WS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::ws"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
                  "product_id": "squirrelmail-0:1.4.8-5.el5_2.2.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
                  "product_id": "squirrelmail-0:1.4.8-5.el4_7.2.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-8.el3.src",
                "product": {
                  "name": "squirrelmail-0:1.4.8-8.el3.src",
                  "product_id": "squirrelmail-0:1.4.8-8.el3.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
                  "product_id": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
                  "product_id": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-8.el3.noarch",
                "product": {
                  "name": "squirrelmail-0:1.4.8-8.el3.noarch",
                  "product_id": "squirrelmail-0:1.4.8-8.el3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux AS version 3",
          "product_id": "3AS:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux AS version 3",
          "product_id": "3AS:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Desktop version 3",
          "product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Desktop version 3",
          "product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux ES version 3",
          "product_id": "3ES:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux ES version 3",
          "product_id": "3ES:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux WS version 3",
          "product_id": "3WS:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux WS version 3",
          "product_id": "3WS:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux AS version 4",
          "product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux AS version 4",
          "product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux Desktop version 4",
          "product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux Desktop version 4",
          "product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux ES version 4",
          "product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux ES version 4",
          "product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux WS version 4",
          "product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux WS version 4",
          "product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
        "relates_to_product_reference": "5Server"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2008-2379",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2008-11-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "473877"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "squirrelmail: XSS issue caused by an insufficient html mail sanitation",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3AS:squirrelmail-0:1.4.8-8.el3.src",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
          "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
          "3ES:squirrelmail-0:1.4.8-8.el3.src",
          "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3WS:squirrelmail-0:1.4.8-8.el3.src",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-2379"
        },
        {
          "category": "external",
          "summary": "RHBZ#473877",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-2379",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379"
        }
      ],
      "release_date": "2008-12-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-12T14:24:00+00:00",
          "details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
          "product_ids": [
            "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3AS:squirrelmail-0:1.4.8-8.el3.src",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
            "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
            "3ES:squirrelmail-0:1.4.8-8.el3.src",
            "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3WS:squirrelmail-0:1.4.8-8.el3.src",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "squirrelmail: XSS issue caused by an insufficient html mail sanitation"
    },
    {
      "cve": "CVE-2008-3663",
      "discovery_date": "2008-09-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "464183"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3AS:squirrelmail-0:1.4.8-8.el3.src",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
          "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
          "3ES:squirrelmail-0:1.4.8-8.el3.src",
          "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3WS:squirrelmail-0:1.4.8-8.el3.src",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-3663"
        },
        {
          "category": "external",
          "summary": "RHBZ#464183",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-3663",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663"
        }
      ],
      "release_date": "2008-08-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-12T14:24:00+00:00",
          "details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
          "product_ids": [
            "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3AS:squirrelmail-0:1.4.8-8.el3.src",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
            "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
            "3ES:squirrelmail-0:1.4.8-8.el3.src",
            "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3WS:squirrelmail-0:1.4.8-8.el3.src",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies"
    }
  ]
}

RHSA-2009_0010

Vulnerability from csaf_redhat - Published: 2009-01-12 14:24 - Updated: 2024-11-22 02:23

Summary

Red Hat Security Advisory: squirrelmail security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated squirrelmail package that resolves various security issues is\nnow available for Red Hat Enterprise Linux 3, 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red\nHat Security Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "SquirrelMail is an easy-to-configure, standards-based, webmail package\nwritten in PHP. It includes built-in PHP support for the IMAP and SMTP\nprotocols, and pure HTML 4.0 page-rendering (with no JavaScript required)\nfor maximum browser-compatibility, strong MIME support, address books, and\nfolder manipulation.\n\nIvan Markovic discovered a cross-site scripting (XSS) flaw in SquirrelMail\ncaused by insufficient HTML mail sanitization. A remote attacker could send\na specially-crafted HTML mail or attachment that could cause a user\u0027s Web\nbrowser to execute a malicious script in the context of the SquirrelMail\nsession when that email or attachment was opened by the user.\n(CVE-2008-2379)\n\nIt was discovered that SquirrelMail allowed cookies over insecure\nconnections (ie did not restrict cookies to HTTPS connections). An attacker\nwho controlled the communication channel between a user and the\nSquirrelMail server, or who was able to sniff the user\u0027s network\ncommunication, could use this flaw to obtain the user\u0027s session cookie, if\na user made an HTTP request to the server. (CVE-2008-3663)\n\nNote: After applying this update, all session cookies set for SquirrelMail\nsessions started over HTTPS connections will have the \"secure\" flag set.\nThat is, browsers will only send such cookies over an HTTPS connection. If\nneeded, you can revert to the previous behavior by setting the\nconfiguration option \"$only_secure_cookies\" to \"false\" in SquirrelMail\u0027s\n/etc/squirrelmail/config.php configuration file.\n\nUsers of squirrelmail should upgrade to this updated package, which\ncontains backported patches to correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2009:0010",
        "url": "https://access.redhat.com/errata/RHSA-2009:0010"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "http://www.squirrelmail.org/security/issue/2008-09-28",
        "url": "http://www.squirrelmail.org/security/issue/2008-09-28"
      },
      {
        "category": "external",
        "summary": "http://www.squirrelmail.org/security/issue/2008-12-04",
        "url": "http://www.squirrelmail.org/security/issue/2008-12-04"
      },
      {
        "category": "external",
        "summary": "464183",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
      },
      {
        "category": "external",
        "summary": "473877",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_0010.json"
      }
    ],
    "title": "Red Hat Security Advisory: squirrelmail security update",
    "tracking": {
      "current_release_date": "2024-11-22T02:23:48+00:00",
      "generator": {
        "date": "2024-11-22T02:23:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2009:0010",
      "initial_release_date": "2009-01-12T14:24:00+00:00",
      "revision_history": [
        {
          "date": "2009-01-12T14:24:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2009-01-12T09:26:41+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T02:23:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
                  "product_id": "5Client-Workstation",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux (v. 5 server)",
                "product": {
                  "name": "Red Hat Enterprise Linux (v. 5 server)",
                  "product_id": "5Server",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:5::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux AS version 4",
                  "product_id": "4AS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Desktop version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux Desktop version 4",
                  "product_id": "4Desktop",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::desktop"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ES version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux ES version 4",
                  "product_id": "4ES",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::es"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux WS version 4",
                "product": {
                  "name": "Red Hat Enterprise Linux WS version 4",
                  "product_id": "4WS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:4::ws"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS version 3",
                "product": {
                  "name": "Red Hat Enterprise Linux AS version 3",
                  "product_id": "3AS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Desktop version 3",
                "product": {
                  "name": "Red Hat Desktop version 3",
                  "product_id": "3Desktop",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::desktop"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ES version 3",
                "product": {
                  "name": "Red Hat Enterprise Linux ES version 3",
                  "product_id": "3ES",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::es"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux WS version 3",
                "product": {
                  "name": "Red Hat Enterprise Linux WS version 3",
                  "product_id": "3WS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:3::ws"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el5_2.2.src",
                  "product_id": "squirrelmail-0:1.4.8-5.el5_2.2.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el4_7.2.src",
                  "product_id": "squirrelmail-0:1.4.8-5.el4_7.2.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-8.el3.src",
                "product": {
                  "name": "squirrelmail-0:1.4.8-8.el3.src",
                  "product_id": "squirrelmail-0:1.4.8-8.el3.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
                  "product_id": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_2.2?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
                "product": {
                  "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
                  "product_id": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_7.2?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "squirrelmail-0:1.4.8-8.el3.noarch",
                "product": {
                  "name": "squirrelmail-0:1.4.8-8.el3.noarch",
                  "product_id": "squirrelmail-0:1.4.8-8.el3.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/squirrelmail@1.4.8-8.el3?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux AS version 3",
          "product_id": "3AS:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux AS version 3",
          "product_id": "3AS:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Desktop version 3",
          "product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Desktop version 3",
          "product_id": "3Desktop:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux ES version 3",
          "product_id": "3ES:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux ES version 3",
          "product_id": "3ES:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.noarch as a component of Red Hat Enterprise Linux WS version 3",
          "product_id": "3WS:squirrelmail-0:1.4.8-8.el3.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.noarch",
        "relates_to_product_reference": "3WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-8.el3.src as a component of Red Hat Enterprise Linux WS version 3",
          "product_id": "3WS:squirrelmail-0:1.4.8-8.el3.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-8.el3.src",
        "relates_to_product_reference": "3WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux AS version 4",
          "product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux AS version 4",
          "product_id": "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4AS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux Desktop version 4",
          "product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux Desktop version 4",
          "product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4Desktop"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux ES version 4",
          "product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux ES version 4",
          "product_id": "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4ES"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.noarch as a component of Red Hat Enterprise Linux WS version 4",
          "product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.noarch",
        "relates_to_product_reference": "4WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el4_7.2.src as a component of Red Hat Enterprise Linux WS version 4",
          "product_id": "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el4_7.2.src",
        "relates_to_product_reference": "4WS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
          "product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
        "relates_to_product_reference": "5Client-Workstation"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.noarch as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.noarch",
        "relates_to_product_reference": "5Server"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "squirrelmail-0:1.4.8-5.el5_2.2.src as a component of Red Hat Enterprise Linux (v. 5 server)",
          "product_id": "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
        },
        "product_reference": "squirrelmail-0:1.4.8-5.el5_2.2.src",
        "relates_to_product_reference": "5Server"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2008-2379",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2008-11-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "473877"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "squirrelmail: XSS issue caused by an insufficient html mail sanitation",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3AS:squirrelmail-0:1.4.8-8.el3.src",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
          "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
          "3ES:squirrelmail-0:1.4.8-8.el3.src",
          "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3WS:squirrelmail-0:1.4.8-8.el3.src",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-2379"
        },
        {
          "category": "external",
          "summary": "RHBZ#473877",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=473877"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-2379",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-2379"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2379"
        }
      ],
      "release_date": "2008-12-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-12T14:24:00+00:00",
          "details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
          "product_ids": [
            "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3AS:squirrelmail-0:1.4.8-8.el3.src",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
            "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
            "3ES:squirrelmail-0:1.4.8-8.el3.src",
            "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3WS:squirrelmail-0:1.4.8-8.el3.src",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "squirrelmail: XSS issue caused by an insufficient html mail sanitation"
    },
    {
      "cve": "CVE-2008-3663",
      "discovery_date": "2008-09-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "464183"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3AS:squirrelmail-0:1.4.8-8.el3.src",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
          "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
          "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
          "3ES:squirrelmail-0:1.4.8-8.el3.src",
          "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
          "3WS:squirrelmail-0:1.4.8-8.el3.src",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
          "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
          "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2008-3663"
        },
        {
          "category": "external",
          "summary": "RHBZ#464183",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=464183"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2008-3663",
          "url": "https://www.cve.org/CVERecord?id=CVE-2008-3663"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663"
        }
      ],
      "release_date": "2008-08-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2009-01-12T14:24:00+00:00",
          "details": "Before applying this update, make sure that all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use the Red\nHat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
          "product_ids": [
            "3AS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3AS:squirrelmail-0:1.4.8-8.el3.src",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.noarch",
            "3Desktop:squirrelmail-0:1.4.8-8.el3.src",
            "3ES:squirrelmail-0:1.4.8-8.el3.noarch",
            "3ES:squirrelmail-0:1.4.8-8.el3.src",
            "3WS:squirrelmail-0:1.4.8-8.el3.noarch",
            "3WS:squirrelmail-0:1.4.8-8.el3.src",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4AS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4Desktop:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4ES:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.noarch",
            "4WS:squirrelmail-0:1.4.8-5.el4_7.2.src",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_2.2.src",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.noarch",
            "5Server:squirrelmail-0:1.4.8-5.el5_2.2.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2009:0010"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "squirrelmail: session hijacking - secure flag not set for HTTPS-only cookies"
    }
  ]
}

FKIE_CVE-2008-3663

Vulnerability from fkie_nvd - Published: 2008-09-24 14:56 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

	URL	Tags
	cve@mitre.org	http://int21.de/cve/CVE-2008-3663-squirrelmail.html
	cve@mitre.org	http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html
	cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html
	cve@mitre.org	http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
	cve@mitre.org	http://secunia.com/advisories/33937
	cve@mitre.org	http://securityreason.com/securityalert/4304
	cve@mitre.org	http://support.apple.com/kb/HT3438
	cve@mitre.org	http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html
	cve@mitre.org	http://www.securityfocus.com/archive/1/496601/100/0/threaded
	cve@mitre.org	http://www.securityfocus.com/bid/31321
	cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/45700
	cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548
	af854a3a-2127-422b-91ae-364da2661108	http://int21.de/cve/CVE-2008-3663-squirrelmail.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
	af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/33937
	af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/securityalert/4304
	af854a3a-2127-422b-91ae-364da2661108	http://support.apple.com/kb/HT3438
	af854a3a-2127-422b-91ae-364da2661108	http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html
	af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/496601/100/0/threaded
	af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/31321
	af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/45700
	af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548

Impacted products

	Vendor	Product	Version
	squirrelmail	squirrelmail	1.4.15

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "0986D113-C9F9-4645-8968-D165EC6B917D",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
    },
    {
      "lang": "es",
      "value": "Squirrelmail 1.4.15 no establece la bandera de seguridad para la cookie de sesi\u00f3n en una sesi\u00f3n https, lo que podr\u00eda provocar que la cookie pudiera ser enviada en peticiones http y facilitar a atacantes remotos capturar esta cookie."
    }
  ],
  "id": "CVE-2008-3663",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-09-24T14:56:52.537",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/33937"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securityreason.com/securityalert/4304"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://support.apple.com/kb/HT3438"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/31321"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/33937"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securityreason.com/securityalert/4304"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://support.apple.com/kb/HT3438"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/31321"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vendorComments": [
    {
      "comment": "This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html",
      "lastModified": "2009-01-12T00:00:00",
      "organization": "Red Hat"
    }
  ],
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-310"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-V6VW-6GWH-PPRH

Vulnerability from github – Published: 2022-05-02 00:02 – Updated: 2022-05-02 00:02

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2008-3663"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-09-24T14:56:00Z",
    "severity": "MODERATE"
  },
  "details": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
  "id": "GHSA-v6vw-6gwh-pprh",
  "modified": "2022-05-02T00:02:29Z",
  "published": "2022-05-02T00:02:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3663"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
    },
    {
      "type": "WEB",
      "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/33937"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/4304"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT3438"
    },
    {
      "type": "WEB",
      "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31321"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2008-3663

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2008-3663

Aliases

CVE-2008-3663

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-3663",
    "description": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
    "id": "GSD-2008-3663",
    "references": [
      "https://www.suse.com/security/cve/CVE-2008-3663.html",
      "https://access.redhat.com/errata/RHSA-2009:0010",
      "https://linux.oracle.com/cve/CVE-2008-3663.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-3663"
      ],
      "details": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.",
      "id": "GSD-2008-3663",
      "modified": "2023-12-13T01:23:05.895043Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2008-3663",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html",
            "refsource": "CONFIRM",
            "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
          },
          {
            "name": "33937",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/33937"
          },
          {
            "name": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html",
            "refsource": "MISC",
            "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
          },
          {
            "name": "31321",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/31321"
          },
          {
            "name": "http://support.apple.com/kb/HT3438",
            "refsource": "CONFIRM",
            "url": "http://support.apple.com/kb/HT3438"
          },
          {
            "name": "4304",
            "refsource": "SREASON",
            "url": "http://securityreason.com/securityalert/4304"
          },
          {
            "name": "APPLE-SA-2009-02-12",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
          },
          {
            "name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
          },
          {
            "name": "squirrelmail-cookie-session-hijacking(45700)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
          },
          {
            "name": "SUSE-SR:2009:004",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
          },
          {
            "name": "SUSE-SR:2008:028",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
          },
          {
            "name": "oval:org.mitre.oval:def:10548",
            "refsource": "OVAL",
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-3663"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-310"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://int21.de/cve/CVE-2008-3663-squirrelmail.html"
            },
            {
              "name": "31321",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/31321"
            },
            {
              "name": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.nabble.com/ANNOUNCE:-SquirrelMail-1.4.16-Released-td19711998.html"
            },
            {
              "name": "SUSE-SR:2008:028",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00003.html"
            },
            {
              "name": "4304",
              "refsource": "SREASON",
              "tags": [],
              "url": "http://securityreason.com/securityalert/4304"
            },
            {
              "name": "APPLE-SA-2009-02-12",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.html"
            },
            {
              "name": "SUSE-SR:2009:004",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
            },
            {
              "name": "33937",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/33937"
            },
            {
              "name": "http://support.apple.com/kb/HT3438",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://support.apple.com/kb/HT3438"
            },
            {
              "name": "squirrelmail-cookie-session-hijacking(45700)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45700"
            },
            {
              "name": "oval:org.mitre.oval:def:10548",
              "refsource": "OVAL",
              "tags": [],
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10548"
            },
            {
              "name": "20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/496601/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2018-10-11T20:49Z",
      "publishedDate": "2008-09-24T14:56Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-3663 (GCVE-0-2008-3663)

Description

Solution

Description

Solution

Description

Solution

Description

Solution

Tags

Sightings

Nomenclature