Security

Arbitrary code execution

Date:

2017-04-24

Description:

SquirrelMail versions 1.4.22 and below are vulnerable to a command-line argument injection exploit that could allow arbitrary code execution if $edit_identity and $useSendmail are enabled and user has knowledge of the location and permissions on the SquirrelMail attachment directory.

Affected Versions:

<= 1.4.22

Register Globals:

Register_globals does not have to be on for this issue.

CVE ID(s):

CVE-2017-7692

Patch:

view patch

Credits:

Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo Cavallarin

This page last updated:

2017-04-24 00:00:00