Vulnerability Name:

CVE-2006-0195 (CCN-24848)

Assigned:2006-02-10
Published:2006-02-10
Updated:2017-10-11
Summary:Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: SGI
Type: UNKNOWN
20060501-01-U

Source: MITRE
Type: CNA
CVE-2006-0195

Source: CCN
Type: RHSA-2006-0283
squirrelmail security update

Source: CCN
Type: SA18985
SquirrelMail Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
18985

Source: SECUNIA
Type: UNKNOWN
19130

Source: SECUNIA
Type: UNKNOWN
19131

Source: SECUNIA
Type: UNKNOWN
19176

Source: SECUNIA
Type: UNKNOWN
19205

Source: SECUNIA
Type: UNKNOWN
19960

Source: SECUNIA
Type: UNKNOWN
20210

Source: CCN
Type: SECTRACK ID: 1015662
SquirrelMail Input Validation Bugs Let Remote Users Inject IMAP Commands and Conduct Cross-Site Scripting Attacks

Source: SECTRACK
Type: UNKNOWN
1015662

Source: CCN
Type: ASA-2006-096
squirrelmail security update (RHSA-2006-0283)

Source: DEBIAN
Type: UNKNOWN
DSA-988

Source: DEBIAN
Type: DSA-988
squirrelmail -- several vulnerabilities

Source: CCN
Type: GLSA-200603-09
SquirrelMail: Cross-site scripting and IMAP command injection

Source: GENTOO
Type: UNKNOWN
GLSA-200603-09

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:049

Source: SUSE
Type: UNKNOWN
SUSE-SR:2006:005

Source: FEDORA
Type: UNKNOWN
FEDORA-2006-133

Source: REDHAT
Type: UNKNOWN
RHSA-2006:0283

Source: BID
Type: UNKNOWN
16756

Source: CCN
Type: BID-16756
SquirrelMail Multiple Cross-Site Scripting and IMAP Injection Vulnerabilities

Source: CCN
Type: SquirrelMail Web site
Possible XSS in MagicHTML, IE only

Source: CONFIRM
Type: UNKNOWN
http://www.squirrelmail.org/security/issue/2006-02-10

Source: VUPEN
Type: UNKNOWN
ADV-2006-0689

Source: XF
Type: UNKNOWN
squirrelmail-magichtml-xss(24848)

Source: XF
Type: UNKNOWN
squirrelmail-magichtml-xss(24848)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9548

Source: SUSE
Type: SUSE-SR:2006:005
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3a:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4_rc1:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20060195
    V
    		CVE-2006-0195
    2015-11-16
    oval:org.mitre.oval:def:9548
    V
    		Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer.
    2013-04-29
    oval:com.redhat.rhsa:def:20060283
    P
    		RHSA-2006:0283: squirrelmail security update (Moderate)
    2006-05-03
    oval:org.debian:def:988
    V
    		several vulnerabilities
    2006-03-08
    BACK
    squirrelmail squirrelmail 1.4
    squirrelmail squirrelmail 1.4.1
    squirrelmail squirrelmail 1.4.2
    squirrelmail squirrelmail 1.4.3
    squirrelmail squirrelmail 1.4.3_r3
    squirrelmail squirrelmail 1.4.3_rc1
    squirrelmail squirrelmail 1.4.3a
    squirrelmail squirrelmail 1.4.4
    squirrelmail squirrelmail 1.4.4_rc1
    squirrelmail squirrelmail 1.4.5
    squirrelmail squirrelmail 1.4.6_rc1
    squirrelmail squirrelmail 1.4_rc1