paul Posted August 23, 2006 Report Share Posted August 23, 2006 Cross-site scripting (XSS) vulnerability in search.php in SquirrelMail 1.5.1 and earlier, when register_globals is enabled, allows remote attackers to inject arbitrary HTML via the mailbox parameter (CVE-2006-3174). NOTE: The squirrelmail developers dispute this issue, but the relevant code has been reworked to be sure. The patch has been applied to the Mandriva packages. Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and references of other users (CVE-2006-4019). Updated packages are patched to address these issues. Link to comment Share on other sites More sharing options...
Recommended Posts