[Japanese]
|
JVNDB-2009-002207
|
SquirrelMail vulnerable to cross-site request forgery
|
SquirrelMail contains a cross-site request forgery vulnerability.
SquirrelMail from SquirrelMail Project is an open source webmail (web-based email).
SquirrelMail contains an issue in processing of sending a message or setting changes, which may result in cross-site request forgery.
Daiki Fukumori reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V2 Severity: Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
SquirrelMail Project
- SquirrelMail 1.4.19 and earlier
Apple Inc.
- Apple Mac OS X v10.5.8
- Apple Mac OS X v10.6 through v10.6.3
- Apple Mac OS X Server v10.5.8
- Apple Mac OS X Server v10.6 through v10.6.3
MIRACLE LINUX CORPORATION
- Asianux Server 3 (x86)
- Asianux Server 3 (x86-64)
Red Hat, Inc.
- Red Hat Enterprise Linux 5 (server)
- Red Hat Enterprise Linux 3 (as)
- Red Hat Enterprise Linux 4 (as)
- Red Hat Enterprise Linux 4.8 (as)
- Red Hat Enterprise Linux 3 (es)
- Red Hat Enterprise Linux 4 (es)
- Red Hat Enterprise Linux 4.8 (es)
- Red Hat Enterprise Linux 3 (ws)
- Red Hat Enterprise Linux 4 (ws)
- Red Hat Enterprise Linux Desktop 3.0
- Red Hat Enterprise Linux Desktop 4.0
- Red Hat Enterprise Linux EUS 5.4.z (server)
- RHEL Desktop Workstation 5 (client)
|
|
A remote attacker may send an arbitrary email or change the settings.
|
[Update the Software]
Update to the latest version of SquirrelMail according to the information provided by the developer.
The issue was resolved in SquirrelMail 1.4.20.
|
SquirrelMail Project
Apple Inc.
- Apple Security Updates : HT4188
MIRACLE LINUX CORPORATION
Red Hat, Inc.
|
- Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
|
- CVE-2009-2964
|
- JVN : JVN#30881447
- National Vulnerability Database (NVD) : CVE-2009-2964
- Secunia Advisory : SA34627
- SecurityFocus : 36196
- ISS X-Force Database : 52406
- VUPEN Security : VUPEN/ADV-2009-2262
- OPEN SOURCE VULNERABILITY DATABASE (OSVDB) : 57001
|
- [2011/01/07]
Web page published
|