Vulnerability Name:

CVE-2004-0521 (CCN-16235)

Assigned:2004-04-27
Published:2004-04-27
Updated:2017-10-11
Summary:SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Data Manipulation
References:Source: SGI
Type: UNKNOWN
20040604-01-U

Source: MITRE
Type: CNA
CVE-2004-0521

Source: CONECTIVA
Type: UNKNOWN
CLA-2004:858

Source: CCN
Type: Conectiva Linux Announcement CLSA-2004:858
Several vulnerabilities in SquirrelMail

Source: MLIST
Type: UNKNOWN
[squirrelmail-cvs] 20040427 [SM-CVS] CVS: squirrelmail/functions abook_database.php,1.15.2.1,1.15.2.2

Source: MLIST
Type: UNKNOWN
[squirrelmail-devel] 20040511 [SM-DEVEL] SquirrelMail 1.4.3-RC1 Release

Source: CCN
Type: RHSA-2004-240
squirrelmail security update

Source: REDHAT
Type: UNKNOWN
RHSA-2004:240

Source: CCN
Type: SA11685
Squirrelmail Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
11685

Source: SECUNIA
Type: UNKNOWN
11686

Source: SECUNIA
Type: UNKNOWN
11870

Source: SECUNIA
Type: UNKNOWN
12289

Source: GENTOO
Type: Vendor Advisory
GLSA-200405-16

Source: CCN
Type: CIAC Information Bulletin O-212
Apple Security Update

Source: CIAC
Type: UNKNOWN
O-212

Source: DEBIAN
Type: UNKNOWN
DSA-535

Source: DEBIAN
Type: DSA-535
squirrelmail -- several vulnerabilities

Source: CCN
Type: GLSA-200405-16
Multiple XSS Vulnerabilities in SquirrelMail

Source: OSVDB
Type: UNKNOWN
6841

Source: CCN
Type: OSVDB ID: 6841
SquirrelMail abook_database.php SQL Injection

Source: FEDORA
Type: UNKNOWN
FEDORA-2004-160

Source: APPLE
Type: UNKNOWN
APPLE-SA-2004-09-07

Source: BID
Type: Patch, Vendor Advisory
10397

Source: CCN
Type: BID-10397
SquirrelMail Unspecified SQL Injection Vulnerability

Source: CCN
Type: SquirrelMail Web site
SquirrelMail - Webmail for Nuts!

Source: FEDORA
Type: UNKNOWN
FEDORA-2004-1733

Source: XF
Type: UNKNOWN
squirrelmail-sql-injection(16235)

Source: XF
Type: UNKNOWN
squirrelmail-sql-injection(16235)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1033

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11446

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sgi:propack:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20040521
    V
    		CVE-2004-0521
    2015-11-16
    oval:org.mitre.oval:def:11446
    V
    		SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.
    2013-04-29
    oval:org.mitre.oval:def:1033
    V
    		SquirrelMail SQL Injection Vulnerability
    2010-09-20
    oval:org.debian:def:535
    V
    		several vulnerabilities
    2004-08-02
    oval:com.redhat.rhsa:def:20040240
    P
    		RHSA-2004:240: squirrelmail security update (Important)
    2004-06-14
    BACK
    sgi propack 3.0
    squirrelmail squirrelmail 1.0.4
    squirrelmail squirrelmail 1.0.5
    squirrelmail squirrelmail 1.2.0
    squirrelmail squirrelmail 1.2.1
    squirrelmail squirrelmail 1.2.2
    squirrelmail squirrelmail 1.2.3
    squirrelmail squirrelmail 1.2.4
    squirrelmail squirrelmail 1.2.5
    squirrelmail squirrelmail 1.2.6
    squirrelmail squirrelmail 1.2.7
    squirrelmail squirrelmail 1.2.8
    squirrelmail squirrelmail 1.2.9
    squirrelmail squirrelmail 1.2.10
    squirrelmail squirrelmail 1.2.11
    squirrelmail squirrelmail 1.4
    squirrelmail squirrelmail 1.4.1
    squirrelmail squirrelmail 1.4.2