Download
| Alert*
|
CVE-2018-14955
The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute). CVE-2018-14954 The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute. CVE-2018-14951 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. CVE-2018-14950 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack. CVE-2018-14953 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. CVE-2018-14952 The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack. CVE-2019-12970 XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (f ... CVE-2009-1581 functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted mes ... CVE-2009-1579 The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. CVE-2009-1578 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) ... |
