Rapid7 Vulnerability & Exploit Database

RHSA-2002:204: Updated squirrelmail packages close cross-site scripting vulnerabilities

Back to Search

RHSA-2002:204: Updated squirrelmail packages close cross-site scripting vulnerabilities

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
10/04/2002
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated squirrelmail packages are now available for Red Hat Linux.

SquirrelMail is a webmail package written in PHP. Two vulnerabilities have been found that affect SquirrelMail version 1.2.7 and earlier. Cross-site scripting vulnerabilities allow remote attackers to execute script as other web users via addressbook.php, options.php, search.php, or help.php. It is possible for remote attackers to determine the absolute pathname of the options.php script via a malformed optpage file argument, which generates an error message when the file cannot be included in the script. Red Hat Linux 8 shipped with SquirrelMail version 1.2.7 and is therefore vulnerable to these issues. All users are advised to upgrade to these errata packages containing SquirrelMail version 1.2.8 which is not vulnerable to these issues.

Solution(s)

  • redhat-upgrade-squirrelmail

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;