FreeBSD: VID-928d5c59-2a5a-11e8-a712-0025908740c2 (CVE-2018-8741): SquirrelMail -- post-authentication access privileges

Florian Grunow reports: An attacker able to exploit this vulnerability can extract files of the server the application is running on. This may include configuration files, log files and additionally all files that are readable for all users on the system. This issue is post-authentication. That means an attacker would need valid credentials for the application to log in or needs to exploit an additional vulnerability of which we are not aware of at this point of time. An attacker would also be able to delete files on the system, if the user running the application has the rights to do so. Does this issue affect me? Likely yes, if you are using Squirrelmail. We checked the latest development version, which is 1.5.2-svn and the latest version available for download at this point of time, 1.4.22. Both contain the vulnerable code.