Vulnerability CVE-2004-0519

Vulnerability Name:

CVE-2004-0519 (CCN-16025)

Assigned:

2004-04-29

Published:

2004-04-29

Updated:

2017-10-11

Summary:

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.

CVSS v3 Severity:

5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Gain Access

References:

Source: SGI
Type: Patch
20040604-01-U

Source: CCN
Type: BugTraq Mailing List, Thu Apr 29 2004 - 16:09:06 CDT
SquirrelMail Cross Scripting Attacks....

Source: CCN
Type: BugTraq Mailing List, Fri Apr 30 2004 - 15:22:47 CDT
Re: SquirrelMail Cross Scripting Attacks....

Source: MITRE
Type: CNA
CVE-2004-0519

Source: CONECTIVA
Type: UNKNOWN
CLA-2004:858

Source: CCN
Type: Conectiva Linux Announcement CLSA-2004:858
Several vulnerabilities in SquirrelMail

Source: BUGTRAQ
Type: UNKNOWN
20040429 SquirrelMail Cross Scripting Attacks....

Source: CCN
Type: RHSA-2004-240
squirrelmail security update

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2004:240

Source: CCN
Type: SA11531
SquirrelMail Folder Name Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
11531

Source: SECUNIA
Type: Patch, Vendor Advisory
11686

Source: SECUNIA
Type: Patch, Vendor Advisory
11870

Source: SECUNIA
Type: Patch
12289

Source: GENTOO
Type: Vendor Advisory
GLSA-200405-16

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-535

Source: DEBIAN
Type: DSA-535
squirrelmail -- several vulnerabilities

Source: CCN
Type: GLSA-200405-16
Multiple XSS Vulnerabilities in SquirrelMail

Source: SUSE
Type: Vendor Advisory
SUSE-SR:2005:019

Source: FEDORA
Type: Patch, Vendor Advisory
FEDORA-2004-160

Source: BUGTRAQ
Type: UNKNOWN
20040430 Re: SquirrelMail Cross Scripting Attacks....

Source: BID
Type: Exploit, Patch
10246

Source: CCN
Type: BID-10246
SquirrelMail Folder Name Cross-Site Scripting Vulnerability

Source: CCN
Type: SquirrelMail Web site
SquirrelMail - Webmail for Nuts!

Source: FEDORA
Type: Patch
FEDORA-2004-1733

Source: XF
Type: UNKNOWN
squirrel-composephp-xss(16025)

Source: XF
Type: UNKNOWN
squirrel-composephp-xss(16025)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1006

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10274

Source: SUSE
Type: SUSE-SR:2005:019
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:sgi:propack:3.0:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*

AND

cpe:/o:redhat:linux:3.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*

OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20040519	V	CVE-2004-0519	2015-11-16
oval:org.mitre.oval:def:10274	V	Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.	2013-04-29
oval:org.mitre.oval:def:1006	V	SquirrelMail Cross-site Scripting Vulnerability I	2010-09-20
oval:org.debian:def:535	V	several vulnerabilities	2004-08-02
oval:com.redhat.rhsa:def:20040240	P	RHSA-2004:240: squirrelmail security update (Important)	2004-06-14

BACK