rhsa-2009:1066
Vulnerability from csaf_redhat
Published
2009-05-26 17:26
Modified
2024-11-22 02:47
Summary
Red Hat Security Advisory: squirrelmail security update
Notes
Topic
An updated squirrelmail package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 3, 4, and 5.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
Details
SquirrelMail is a standards-based webmail package written in PHP.
A server-side code injection flaw was found in the SquirrelMail
"map_yp_alias" function. If SquirrelMail was configured to retrieve a
user's IMAP server address from a Network Information Service (NIS) server
via the "map_yp_alias" function, an unauthenticated, remote attacker using
a specially-crafted username could use this flaw to execute arbitrary code
with the privileges of the web server. (CVE-2009-1579)
Multiple cross-site scripting (XSS) flaws were found in SquirrelMail. An
attacker could construct a carefully crafted URL, which once visited by an
unsuspecting user, could cause the user's web browser to execute malicious
script in the context of the visited SquirrelMail web page. (CVE-2009-1578)
It was discovered that SquirrelMail did not properly sanitize Cascading
Style Sheets (CSS) directives used in HTML mail. A remote attacker could
send a specially-crafted email that could place mail content above
SquirrelMail's controls, possibly allowing phishing and cross-site
scripting attacks. (CVE-2009-1581)
Users of squirrelmail should upgrade to this updated package, which
contains backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated squirrelmail package that fixes multiple security issues is now\navailable for Red Hat Enterprise Linux 3, 4, and 5.\n\nThis update has been rated as having important security impact by the Red\nHat Security Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "SquirrelMail is a standards-based webmail package written in PHP.\n\nA server-side code injection flaw was found in the SquirrelMail\n\"map_yp_alias\" function. If SquirrelMail was configured to retrieve a\nuser\u0027s IMAP server address from a Network Information Service (NIS) server\nvia the \"map_yp_alias\" function, an unauthenticated, remote attacker using\na specially-crafted username could use this flaw to execute arbitrary code\nwith the privileges of the web server. (CVE-2009-1579)\n\nMultiple cross-site scripting (XSS) flaws were found in SquirrelMail. An\nattacker could construct a carefully crafted URL, which once visited by an \nunsuspecting user, could cause the user\u0027s web browser to execute malicious\nscript in the context of the visited SquirrelMail web page. (CVE-2009-1578)\n\nIt was discovered that SquirrelMail did not properly sanitize Cascading\nStyle Sheets (CSS) directives used in HTML mail. A remote attacker could\nsend a specially-crafted email that could place mail content above\nSquirrelMail\u0027s controls, possibly allowing phishing and cross-site\nscripting attacks. (CVE-2009-1581)\n\nUsers of squirrelmail should upgrade to this updated package, which\ncontains backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2009:1066",
"url": "https://access.redhat.com/errata/RHSA-2009:1066"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2009-05-08",
"url": "http://www.squirrelmail.org/security/issue/2009-05-08"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2009-05-10",
"url": "http://www.squirrelmail.org/security/issue/2009-05-10"
},
{
"category": "external",
"summary": "http://www.squirrelmail.org/security/issue/2009-05-12",
"url": "http://www.squirrelmail.org/security/issue/2009-05-12"
},
{
"category": "external",
"summary": "500356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=500356"
},
{
"category": "external",
"summary": "500360",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=500360"
},
{
"category": "external",
"summary": "500363",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=500363"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_1066.json"
}
],
"title": "Red Hat Security Advisory: squirrelmail security update",
"tracking": {
"current_release_date": "2024-11-22T02:47:25+00:00",
"generator": {
"date": "2024-11-22T02:47:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2009:1066",
"initial_release_date": "2009-05-26T17:26:00+00:00",
"revision_history": [
{
"date": "2009-05-26T17:26:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2009-05-26T13:31:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T02:47:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 3",
"product": {
"name": "Red Hat Enterprise Linux AS version 3",
"product_id": "3AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Desktop version 3",
"product": {
"name": "Red Hat Desktop version 3",
"product_id": "3Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 3",
"product": {
"name": "Red Hat Enterprise Linux ES version 3",
"product_id": "3ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 3",
"product": {
"name": "Red Hat Enterprise Linux WS version 3",
"product_id": "3WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:3::ws"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 4",
"product": {
"name": "Red Hat Enterprise Linux AS version 4",
"product_id": "4AS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::as"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop version 4",
"product": {
"name": "Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::desktop"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 4",
"product": {
"name": "Red Hat Enterprise Linux ES version 4",
"product_id": "4ES",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::es"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 4",
"product": {
"name": "Red Hat Enterprise Linux WS version 4",
"product_id": "4WS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:4::ws"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::client_workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:5::server"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-13.el3.src",
"product": {
"name": "squirrelmail-0:1.4.8-13.el3.src",
"product_id": "squirrelmail-0:1.4.8-13.el3.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-13.el3?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_8.5.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.src",
"product_id": "squirrelmail-0:1.4.8-5.el4_8.5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_8.5?arch=src"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_3.7.src",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_3.7.src",
"product_id": "squirrelmail-0:1.4.8-5.el5_3.7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_3.7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-13.el3.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-13.el3.noarch",
"product_id": "squirrelmail-0:1.4.8-13.el3.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-13.el3?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el4_8.5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"product": {
"name": "squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"product_id": "squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/squirrelmail@1.4.8-5.el5_3.7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.noarch as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-13.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.noarch",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.src as a component of Red Hat Enterprise Linux AS version 3",
"product_id": "3AS:squirrelmail-0:1.4.8-13.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.src",
"relates_to_product_reference": "3AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.noarch as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-13.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.noarch",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.src as a component of Red Hat Desktop version 3",
"product_id": "3Desktop:squirrelmail-0:1.4.8-13.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.src",
"relates_to_product_reference": "3Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.noarch as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-13.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.noarch",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.src as a component of Red Hat Enterprise Linux ES version 3",
"product_id": "3ES:squirrelmail-0:1.4.8-13.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.src",
"relates_to_product_reference": "3ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.noarch as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-13.el3.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.noarch",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-13.el3.src as a component of Red Hat Enterprise Linux WS version 3",
"product_id": "3WS:squirrelmail-0:1.4.8-13.el3.src"
},
"product_reference": "squirrelmail-0:1.4.8-13.el3.src",
"relates_to_product_reference": "3WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.noarch as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.src as a component of Red Hat Enterprise Linux AS version 4",
"product_id": "4AS:squirrelmail-0:1.4.8-5.el4_8.5.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.src",
"relates_to_product_reference": "4AS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.noarch as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.src as a component of Red Hat Enterprise Linux Desktop version 4",
"product_id": "4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.src",
"relates_to_product_reference": "4Desktop"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.noarch as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.src as a component of Red Hat Enterprise Linux ES version 4",
"product_id": "4ES:squirrelmail-0:1.4.8-5.el4_8.5.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.src",
"relates_to_product_reference": "4ES"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.noarch as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el4_8.5.src as a component of Red Hat Enterprise Linux WS version 4",
"product_id": "4WS:squirrelmail-0:1.4.8-5.el4_8.5.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el4_8.5.src",
"relates_to_product_reference": "4WS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_3.7.noarch as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_3.7.src as a component of Red Hat Enterprise Linux Desktop Workstation (v. 5 client)",
"product_id": "5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_3.7.src",
"relates_to_product_reference": "5Client-Workstation"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_3.7.noarch as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"relates_to_product_reference": "5Server"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "squirrelmail-0:1.4.8-5.el5_3.7.src as a component of Red Hat Enterprise Linux (v. 5 server)",
"product_id": "5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
},
"product_reference": "squirrelmail-0:1.4.8-5.el5_3.7.src",
"relates_to_product_reference": "5Server"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2009-1578",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2009-05-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "500363"
}
],
"notes": [
{
"category": "description",
"text": "Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SquirrelMail: Multiple cross site scripting issues",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2009-1578"
},
{
"category": "external",
"summary": "RHBZ#500363",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=500363"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2009-1578",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-1578"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-1578",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1578"
}
],
"release_date": "2009-05-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-05-26T17:26:00+00:00",
"details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:1066"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "SquirrelMail: Multiple cross site scripting issues"
},
{
"cve": "CVE-2009-1579",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2009-05-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "500360"
}
],
"notes": [
{
"category": "description",
"text": "The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SquirrelMail: Server-side code injection in map_yp_alias username map",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2009-1579"
},
{
"category": "external",
"summary": "RHBZ#500360",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=500360"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2009-1579",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-1579"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-1579",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1579"
}
],
"release_date": "2009-05-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-05-26T17:26:00+00:00",
"details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:1066"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SquirrelMail: Server-side code injection in map_yp_alias username map"
},
{
"cve": "CVE-2009-1581",
"discovery_date": "2009-05-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "500356"
}
],
"notes": [
{
"category": "description",
"text": "functions/mime.php in SquirrelMail before 1.4.18 does not protect the application\u0027s content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SquirrelMail: CSS positioning vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2009-1581"
},
{
"category": "external",
"summary": "RHBZ#500356",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=500356"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2009-1581",
"url": "https://www.cve.org/CVERecord?id=CVE-2009-1581"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-1581",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1581"
}
],
"release_date": "2009-05-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2009-05-26T17:26:00+00:00",
"details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259",
"product_ids": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2009:1066"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"3AS:squirrelmail-0:1.4.8-13.el3.noarch",
"3AS:squirrelmail-0:1.4.8-13.el3.src",
"3Desktop:squirrelmail-0:1.4.8-13.el3.noarch",
"3Desktop:squirrelmail-0:1.4.8-13.el3.src",
"3ES:squirrelmail-0:1.4.8-13.el3.noarch",
"3ES:squirrelmail-0:1.4.8-13.el3.src",
"3WS:squirrelmail-0:1.4.8-13.el3.noarch",
"3WS:squirrelmail-0:1.4.8-13.el3.src",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4AS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4Desktop:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4ES:squirrelmail-0:1.4.8-5.el4_8.5.src",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.noarch",
"4WS:squirrelmail-0:1.4.8-5.el4_8.5.src",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Client-Workstation:squirrelmail-0:1.4.8-5.el5_3.7.src",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.noarch",
"5Server:squirrelmail-0:1.4.8-5.el5_3.7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "SquirrelMail: CSS positioning vulnerability"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.