Donations
News
About
Support
Security
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties
Junk Email Filter
|
Security
NOTE: If you're looking to contact us regarding spam
supposedly sent by SquirrelMail, please read
this explanation of why we
are not related to this scam.
If you want to contact us regarding your lost password,
not being able to login or other problems with your
mail account, please go our end user
information.
The SquirrelMail Project takes security very seriously. If you think
you've discovered a security-related issue in SquirrelMail, please contact
us directly at security-2021 <at> squirrelmail.org.
We will do our best to work with you towards a solution as quickly as possible
and will of course give all credit where it's due.
Below you will find a list with known issues in past SquirrelMail versions.
A legend of the columns is below the table.
| Date | Issue | Versions Affected | RG | CVE IDs |
|---|
| 2021-10-15 |
INVALID: Insecure use of unserialize() with untrusted input |
None |
0 |
CVE-2020-14933 |
| 2019-07-01 |
XSS vulnerability in message display |
<= 1.4.22 |
0 |
CVE-2019-12970 |
| 2019-02-26 |
Multiple XSS vulnerabilities |
<= 1.4.22 |
0 |
CVE-2018-14950, CVE-2018-14951, CVE-2018-14952, CVE-2018-14953, CVE-2018-14954, CVE-2018-14955 |
| 2018-04-04 |
Attachments directory traversal vulnerability |
<= 1.4.22 |
0 |
CVE-2018-8741 |
| 2017-04-24 |
Arbitrary code execution |
<= 1.4.22 |
0 |
CVE-2017-7692 |
| 2012-03-09 |
Cross-site scripting vulnerability in the Autocomplete plugin |
< 3.0 |
0 |
CVE-2012-0323 |
| 2011-07-12 |
Clickjacking |
<= 1.4.21 |
0 |
CVE-2010-4554 |
| 2011-07-11 |
Multiple XSS vulnerabilities |
<= 1.4.21 |
0 |
CVE-2010-4555, CVE-2011-2752, CVE-2011-2753 |
| 2011-07-10 |
XSS vulnerability in message display |
<= 1.4.21 |
0 |
CVE-2011-2023 |
| 2010-07-23 |
DoS risk against login page |
<= 1.4.20 |
0 |
CVE-2010-2813 |
| 2010-06-21 |
Mail Fetch plugin as network scanner |
<= 1.4.20 |
0 |
CVE-2010-1637 |
| 2009-08-12 |
CSRF in all forms |
<= 1.4.19 |
0 |
SA34627 |
| 2009-05-12 |
CSS positioning vulnerability |
<= 1.4.17 |
0 |
CVE-2009-1581 |
| 2009-05-11 |
Session fixation vulnerability |
<= 1.4.17 |
0 |
CVE-2009-1580 |
| 2009-05-10 |
Server-side code injection in map_yp_alias username map |
<= 1.4.18 |
0 |
CVE-2009-1579, CVE-2009-1381 |
| 2009-05-09 |
Cross site scripting issues in decrypt_headers.php |
<= 1.4.17 |
0 |
CVE-2009-1578 |
| 2009-05-08 |
Multiple cross site scripting issues |
<= 1.4.17 |
0 |
CVE-2009-1578 |
| 2008-12-04 |
Cross site scripting in HTML filter |
1.4.0 - 1.4.16 |
0 |
CVE-2008-2379 |
| 2008-09-28 |
Cookies for SSL connection could be sent over non-SSL |
1.4.0 - 1.4.15 |
0 |
CVE-2008-3663 |
| 2007-12-13 |
1.4.12 and 1.4.11 Package Compromise |
1.4.11&12 |
0 |
CVE-2007-6348 |
| 2007-05-09 |
Cross site scripting in HTML filter |
1.4.0-1.4.9a |
0 |
CVE-2007-1262, CVE-2007-2589 |
| 2006-12-03 |
Workaround for Internet Explorer MIME handling |
IE |
0 |
|
| 2006-12-02 |
Cross site scripting in compose, draft & HTML mail viewing |
1.4.0 - 1.4.9 |
0 |
CVE-2006-6142 |
| 2006-08-11 |
Variable overwriting in compose.php |
1.4.0 - 1.4.7 |
0 |
CVE-2006-4019 |
| 2006-06-22 |
Disputed: search.php cross site scripting |
none |
1 |
CVE-2006-3174 |
| 2006-06-01 |
Local file inclusion |
<= 1.4.6 |
1 |
CVE-2006-2842 |
| 2006-02-15 |
IMAP injection in sqimap_mailbox_select mailbox parameter |
<= 1.4.5 |
0 |
CVE-2006-0377 |
| 2006-02-10 |
Possible XSS in MagicHTML (IE only) |
<= 1.4.5 |
0 |
CVE-2006-0195 |
| 2006-02-01 |
Possible XSS through right_frame parameter in webmail.php |
<= 1.4.5 |
0 |
CVE-2006-0188 |
| 2005-07-13 |
$_POST variable handling in options_identites allows for different attacks |
<= 1.4.5-RC1 |
1 |
CVE-2005-2095 |
| 2005-06-15 |
Several cross site scripting vulnerabilities |
<= 1.4.4 |
0 |
CVE-2005-1769 |
| 2005-01-20 |
XSS vulnerability in webmail.php |
<= 1.4.4-RC1 |
0 |
CVE-2005-0104 |
| 2005-01-19 |
Frame content changing in webmail.php |
<= 1.4.4-RC1 |
0 |
CVE-2005-0103 |
| 2005-01-14 |
Local file inclusions in prefs.php |
1.4.3-RC1 - 1.4.4-RC1 |
1 |
CVE-2005-0075 |
| 2004-11-10 |
XSS vulnerability in decodeHeader() |
<= 1.4.3a |
0 |
CVE-2004-1036 |
| 2004-05-30 |
XSS vulnerability in Content-Type display in read_body |
<= 1.4.3-RC1 |
0 |
|
| 2004-05-10 |
SQL injection vulnerability in addressbook |
<= 1.4.2 |
0 |
CVE-2004-0521 |
| 2004-05-01 |
Multiple XSS vulnerabilities |
<= 1.4.2 |
0 |
CVE-2004-0519, CVE-2004-0520 |
| 2004-04-03 |
XSS vulnerability in incoming email headers |
<= 1.4.0-RC2a |
0 |
|
| 2004-04-01 |
XSS vulnerability when replying to malicious sources |
<= 1.4.0-RC2a |
0 |
|
The column RG indicates whether the vulnerability only applies to systems that
have the PHP register_globals setting turned On, something that is highly discouraged
by both PHP and the SquirrelMail team.
CVE IDs are used for cross-referencing security issues between distributions.
This page only lists known issues since the start of the 1.4.0 Stable series.
Website Bug Reports
We'd like to express much gratitude to reporters of bugs with our website as follows:
- Murat Yılmazlar - https://tr.linkedin.com/in/muratyilmazlarr
- Balaji P R - https://www.linkedin.com/in/balagpy
- Stef
- Ashish Pathak - https://twitter.com/pathakbackz
- דביר לוי
- Thomas Chauchefoin
|
