Vulnerability CVE-2004-0520

Vulnerability Name:

CVE-2004-0520 (CCN-16285)

Assigned:

2004-05-23

Published:

2004-05-23

Updated:

2017-10-11

Summary:

Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.

CVSS v3 Severity:

5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Obtain Information

References:

Source: SGI
Type: Patch
20040604-01-U

Source: CCN
Type: BugTraq Mailing List, Thu Jun 03 2004 - 07:43:27 CDT
[openwebmail] Fw: Re: XSS bug.

Source: MITRE
Type: CNA
CVE-2004-0520

Source: MITRE
Type: CNA
CVE-2004-0639

Source: CONECTIVA
Type: UNKNOWN
CLA-2004:858

Source: CCN
Type: Conectiva Linux Announcement CLSA-2004:858
Several vulnerabilities in SquirrelMail

Source: CCN
Type: IlohaMail Web site
IlohaMail

Source: BUGTRAQ
Type: UNKNOWN
20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability

Source: MLIST
Type: UNKNOWN
[squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28

Source: CCN
Type: Open WebMail Web site
Index of /openwebmail/download

Source: CCN
Type: RHSA-2004-240
squirrelmail security update

Source: REDHAT
Type: Patch, Vendor Advisory
RHSA-2004:240

Source: SECUNIA
Type: Patch, Vendor Advisory
11870

Source: SECUNIA
Type: Patch, Vendor Advisory
12289

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-535

Source: DEBIAN
Type: DSA-535
squirrelmail -- several vulnerabilities

Source: CCN
Type: GLSA-200406-08
Squirrelmail: Another XSS vulnerability

Source: GENTOO
Type: Vendor Advisory
GLSA-200406-08

Source: CCN
Type: OSVDB ID: 51270
IlohaMail Email Header XSS

Source: CCN
Type: OSVDB ID: 54626
Open WebMail (OWM) E-mail Multiple Content Header XSS

Source: CCN
Type: OSVDB ID: 8291
SquirrelMail read_body.php Multiple Parameter XSS

Source: CCN
Type: OSVDB ID: 8292
SquirrelMail mailbox_display.php Multiple Parameter XSS

Source: CCN
Type: RS-Labs Security Advisory RS-2004-1
SquirrelMail "Content-Type" XSS vulnerability

Source: MISC
Type: Vendor Advisory
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

Source: FEDORA
Type: Patch, Vendor Advisory
FEDORA-2004-160

Source: BID
Type: Exploit, Patch
10439

Source: CCN
Type: BID-10439
SquirrelMail Email Header HTML Injection Vulnerability

Source: CCN
Type: BID-10450
SquirrelMail From Email Header HTML Injection Vulnerability

Source: CCN
Type: BID-10667
Open WebMail Email Header HTML Injection Vulnerability

Source: CCN
Type: BID-10668
IlohaMail Email Header HTML Injection Vulnerability

Source: CCN
Type: SquirrelMail Web site
SquirrelMail - Webmail for Nuts!

Source: FEDORA
Type: Patch
FEDORA-2004-1733

Source: XF
Type: UNKNOWN
squirrelmail-from-header-xss(16285)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1012

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:10766

Vulnerable Configuration:

Configuration 1:

cpe:/a:open_webmail:open_webmail:2.30:*:*:*:*:*:*:*

OR cpe:/a:open_webmail:open_webmail:2.31:*:*:*:*:*:*:*

OR cpe:/a:open_webmail:open_webmail:2.32:*:*:*:*:*:*:*

OR cpe:/a:sgi:propack:3.0:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*

OR cpe:/a:squirrelmail:squirrelmail:1.5_dev:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:10766	V	Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.	2013-04-29
oval:org.mitre.oval:def:1012	V	SquirrelMail Cross-site Scripting Vulnerability II	2010-09-20
oval:org.debian:def:535	V	several vulnerabilities	2004-08-02
oval:com.redhat.rhsa:def:20040240	P	RHSA-2004:240: squirrelmail security update (Important)	2004-06-14

BACK