Vulnerability Note VU#153043
SquirrelMail compose.php script does not adequately validate input thereby allowing arbitrary user to send messages
Some versions of SquirrelMail do not properly validate input. Attackers can spoof email addresses through this vulnerability.
An attacker could craft an email message to a SquirrelMail user which, when read by the user, could automatically send email from the user's account to any address of the attacker's choice. This vulnerability could also be used in a cross-site scripting attack to hijack an authenticated user's session.
Upgrade SquirrelMail to version 1.2.4 or later, available from:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SquirrelMail Project Team||Affected||28 Jan 2002||30 May 2002|
CVSS Metrics (Learn More)
Thanks to Tom McAdam for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: CVE-2002-1648
- Date Public: 24 Jan 2002
- Date First Published: 30 May 2002
- Date Last Updated: 10 May 2007
- Severity Metric: 1.07
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.