|
[Japanese]
|
JVNDB-2007-000398
|
SquirrelMail vulnerable to cross-site scripting
|
|
SquirrelMail contains a cross-site scripting vulnerability.
SquirrelMail from SquirrelMail Project is an open source webmail (web-based email).
SquirrelMail contains an issue in handling specific character encoding and processing "data:" URL, which may result in cross-site scripting.
Yosuke Hasegawa from Matcha139 reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
|
SquirrelMail Project
- SquirrelMail 1.4.0 to 1.4.9a
Red Hat, Inc.
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux 3 (as)
- Red Hat Enterprise Linux 4 (as)
- Red Hat Enterprise Linux 3 (es)
- Red Hat Enterprise Linux 4 (es)
- Red Hat Enterprise Linux 3 (ws)
- Red Hat Enterprise Linux 4 (ws)
- Red Hat Enterprise Linux Desktop 3.0
- Red Hat Enterprise Linux Desktop 4.0
- RHEL Desktop Workstation 5 (client)
|
|
|
An arbitrary script may be executed on the user's web browser.
|
|
[Update the Software]
Update to the latest version of SquirrelMail according to the information provided by the developer.
The issue was resolved in SquirrelMail 1.4.10.
|
|
SquirrelMail Project
Red Hat, Inc.
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2007-1262
|
|
- JVN : JVN#09157962
- National Vulnerability Database (NVD) : CVE-2007-1262
- Secunia Advisory : SA25200
- SecurityFocus : 23910
- SecurityTracker : 1018033
- FrSIRT Advisories : FrSIRT/ADV-2007-1748
|
|
- [2011/01/07]
Web page published
|
