SquirrelMail  
Donations
News
About
Support
Security
Screen shots
Download
Plugins
Documentation
Sponsors
Bounties





Junk Email Filter






Security Notice
Phishing campain
Version 1.4.15
Security Upgrade

Security

Arbitrary code execution

Date:
2017-04-24
Description:
SquirrelMail versions 1.4.22 and below are vulnerable to a command-line argument injection exploit that could allow arbitrary code execution if $edit_identity and $useSendmail are enabled and user has knowledge of the location and permissions on the SquirrelMail attachment directory.
Affected Versions:
<= 1.4.22
Register Globals:
Register_globals does not have to be on for this issue.
CVE ID(s):
CVE-2017-7692
Patch:
view patch
Credits:
Mitchel Sahertian, Beyond Security/Dawid Golunski and Filippo Cavallarin
This page last updated:
2017-04-24 00:00:00
© 1999-2016 by The SquirrelMail Project Team