Skip to main content

Squirrelmail CVE-2018-14952

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-08-05 cve@mitre.org
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Aug 05, 2018 - 18:29 nvd
MEDIUM 6.1

DescriptionNVD

The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack.

AnalysisAI

The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack. Affected products include: Squirrelmail. Version information: through 1.4.22.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2017-7692 HIGH POC
8.8 Apr 20

SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a

CVE-2019-12970 MEDIUM POC
6.1 Jul 01

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Rated medium severity (CVSS 6.1), this vulner

CVE-2018-14955 MEDIUM POC
6.1 Aug 05

The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute). Rated me

CVE-2018-14954 MEDIUM POC
6.1 Aug 05

The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute. Rated medium severity

CVE-2018-14953 MEDIUM POC
6.1 Aug 05

The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack. Rated medium seve

CVE-2018-14951 MEDIUM POC
6.1 Aug 05

The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack. Rated mediu

CVE-2018-14950 MEDIUM POC
6.1 Aug 05

The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack. Rated medium se

CVE-2020-14932 CRITICAL
9.8 Jun 20

compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET reques

CVE-2020-14933 HIGH
8.8 Jun 20

compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST requ

CVE-2018-8741 HIGH
8.8 Mar 17

A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete)

CVE-2012-2124 MEDIUM
5.0 Jan 18

functions/imap_general.php in SquirrelMail, as used in Red Hat Enterprise Linux (RHEL) 4 and 5, does not properly handle

Share

CVE-2018-14952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy