Vulnerability Name:

CVE-2006-6142 (CCN-30693)

Assigned:2006-12-02
Published:2006-12-02
Updated:2017-10-11
Summary:Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter."
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Authentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Athentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: SGI
Type: UNKNOWN
20070201-01-P

Source: MITRE
Type: CNA
CVE-2006-6142

Source: CCN
Type: Apple Security Update 2007-007
About Security Update 2007-007

Source: CONFIRM
Type: UNKNOWN
http://docs.info.apple.com/article.html?artnum=306172

Source: CCN
Type: Apple Web site
Apple security updates

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-088

Source: FEDORA
Type: UNKNOWN
FEDORA-2007-089

Source: APPLE
Type: UNKNOWN
APPLE-SA-2007-07-31

Source: CCN
Type: RHSA-2007-0022
Moderate: squirrelmail security update

Source: CCN
Type: SA23195
SquirrelMail Multiple Cross-Site Scripting Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
23195

Source: SECUNIA
Type: UNKNOWN
23322

Source: CCN
Type: SA23409
SUSE Update for Multiple Packages

Source: SECUNIA
Type: UNKNOWN
23409

Source: SECUNIA
Type: UNKNOWN
23504

Source: SECUNIA
Type: UNKNOWN
23811

Source: SECUNIA
Type: UNKNOWN
24004

Source: SECUNIA
Type: UNKNOWN
24284

Source: CCN
Type: SA26235
Mac OS X Security Update Fixes Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
26235

Source: CCN
Type: SECTRACK ID: 1017327
SquirrelMail Input Validation Flaws in Compose, Draft, and HTML Viewing Functions Permit Cross-Site Scripting Attacks

Source: SECTRACK
Type: UNKNOWN
1017327

Source: CCN
Type: SourceForge.net
SquirrelMail Release 1.4.9a

Source: CONFIRM
Type: UNKNOWN
http://sourceforge.net/project/shownotes.php?release_id=468482

Source: CCN
Type: SquirrelMail Web site
Cross site scripting in compose, draft & HTML mail viewing

Source: CONFIRM
Type: UNKNOWN
http://squirrelmail.org/security/issue/2006-12-02

Source: CCN
Type: ASA-2007-112
squirrelmail security update (RHSA-2007-0022)

Source: DEBIAN
Type: UNKNOWN
DSA-1241

Source: DEBIAN
Type: DSA-1241
squirrelmail -- cross-site scripting

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:226

Source: SUSE
Type: UNKNOWN
SUSE-SR:2006:029

Source: SUSE
Type: UNKNOWN
SUSE-SR:2007:004

Source: REDHAT
Type: UNKNOWN
RHSA-2007:0022

Source: BID
Type: UNKNOWN
21414

Source: CCN
Type: BID-21414
SquirrelMail Multiple Cross Site Scripting and Input Validation Vulnerabilities

Source: BID
Type: UNKNOWN
25159

Source: CCN
Type: BID-25159
Apple Mac OS X 2007-007 Multiple Security Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2006-4828

Source: VUPEN
Type: UNKNOWN
ADV-2007-2732

Source: XF
Type: UNKNOWN
squirrelmail-webmail-compose-xss(30693)

Source: XF
Type: UNKNOWN
squirrelmail-webmail-compose-xss(30693)

Source: XF
Type: UNKNOWN
squirrelmail-magichtml-messages-xss(30694)

Source: XF
Type: UNKNOWN
squirrelmail-mimeheader-xss(30695)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-849

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:9988

Source: SUSE
Type: SUSE-SR:2006:029
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2007:004
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3aa:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6_cvs:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4_rc1:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2006-6142 (CCN-30694)

    Assigned:2006-12-02
    Published:2006-12-02
    Updated:2006-12-02
    Summary:Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter."
    CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): High
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): Low
    Availibility (A): None
    CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
    5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Authentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
    3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Athentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    Vulnerability Consequences:Gain Access
    References:Source: MITRE
    Type: CNA
    CVE-2006-6142

    Source: CCN
    Type: Apple Security Update 2007-007
    About Security Update 2007-007

    Source: CCN
    Type: Apple Web site
    Apple security updates

    Source: CCN
    Type: RHSA-2007-0022
    Moderate: squirrelmail security update

    Source: CCN
    Type: SA23195
    SquirrelMail Multiple Cross-Site Scripting Vulnerabilities

    Source: CCN
    Type: SA23409
    SUSE Update for Multiple Packages

    Source: CCN
    Type: SA26235
    Mac OS X Security Update Fixes Multiple Vulnerabilities

    Source: CCN
    Type: SECTRACK ID: 1017327
    SquirrelMail Input Validation Flaws in Compose, Draft, and HTML Viewing Functions Permit Cross-Site Scripting Attacks

    Source: CCN
    Type: SourceForge.net
    SquirrelMail Release 1.4.9a

    Source: CCN
    Type: SquirrelMail Web site
    Cross site scripting in compose, draft & HTML mail viewing

    Source: CCN
    Type: ASA-2007-112
    squirrelmail security update (RHSA-2007-0022)

    Source: DEBIAN
    Type: DSA-1241
    squirrelmail -- cross-site scripting

    Source: CCN
    Type: BID-21414
    SquirrelMail Multiple Cross Site Scripting and Input Validation Vulnerabilities

    Source: CCN
    Type: BID-25159
    Apple Mac OS X 2007-007 Multiple Security Vulnerabilities

    Source: XF
    Type: UNKNOWN
    squirrelmail-magichtml-messages-xss(30694)

    Source: SUSE
    Type: SUSE-SR:2006:029
    SUSE Security Summary Report

    Source: SUSE
    Type: SUSE-SR:2007:004
    SUSE Security Summary Report

    Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2006-6142 (CCN-30695)

    Assigned:2006-12-02
    Published:2006-12-02
    Updated:2017-10-11
    Summary:Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter."
    CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): High
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): Low
    Availibility (A): None
    CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
    5.9 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Authentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
    3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Athentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    Vulnerability Type:CWE-Other
    Vulnerability Consequences:Gain Access
    References:Source: MITRE
    Type: CNA
    CVE-2006-6142

    Source: CCN
    Type: Apple Security Update 2007-007
    About Security Update 2007-007

    Source: CCN
    Type: Apple Web site
    Apple security updates

    Source: CCN
    Type: RHSA-2007-0022
    Moderate: squirrelmail security update

    Source: CCN
    Type: SA23195
    SquirrelMail Multiple Cross-Site Scripting Vulnerabilities

    Source: CCN
    Type: SA23409
    SUSE Update for Multiple Packages

    Source: CCN
    Type: SA26235
    Mac OS X Security Update Fixes Multiple Vulnerabilities

    Source: CCN
    Type: SECTRACK ID: 1017327
    SquirrelMail Input Validation Flaws in Compose, Draft, and HTML Viewing Functions Permit Cross-Site Scripting Attacks

    Source: CCN
    Type: SourceForge.net
    SquirrelMail Release 1.4.9a

    Source: CCN
    Type: SquirrelMail Web site
    Cross site scripting in compose, draft & HTML mail viewing

    Source: CCN
    Type: ASA-2007-112
    squirrelmail security update (RHSA-2007-0022)

    Source: DEBIAN
    Type: DSA-1241
    squirrelmail -- cross-site scripting

    Source: CCN
    Type: BID-21414
    SquirrelMail Multiple Cross Site Scripting and Input Validation Vulnerabilities

    Source: CCN
    Type: BID-25159
    Apple Mac OS X 2007-007 Multiple Security Vulnerabilities

    Source: XF
    Type: UNKNOWN
    squirrelmail-mimeheader-xss(30695)

    Source: SUSE
    Type: SUSE-SR:2006:029
    SUSE Security Summary Report

    Source: SUSE
    Type: SUSE-SR:2007:004
    SUSE Security Summary Report

    Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20066142
    V
    		CVE-2006-6142
    2015-11-16
    oval:org.mitre.oval:def:9988
    V
    		Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter."
    2013-04-29
    oval:com.redhat.rhsa:def:20070022
    P
    		RHSA-2007:0022: squirrelmail security update (Moderate)
    2008-03-20
    oval:org.debian:def:1241
    V
    		cross-site scripting
    2006-12-25
    BACK
    squirrelmail squirrelmail 1.4
    squirrelmail squirrelmail 1.4.1
    squirrelmail squirrelmail 1.4.2
    squirrelmail squirrelmail 1.4.3
    squirrelmail squirrelmail 1.4.3_r3
    squirrelmail squirrelmail 1.4.3_rc1
    squirrelmail squirrelmail 1.4.3aa
    squirrelmail squirrelmail 1.4.4
    squirrelmail squirrelmail 1.4.4_rc1
    squirrelmail squirrelmail 1.4.5
    squirrelmail squirrelmail 1.4.6
    squirrelmail squirrelmail 1.4.6_cvs
    squirrelmail squirrelmail 1.4.6_rc1
    squirrelmail squirrelmail 1.4.7
    squirrelmail squirrelmail 1.4_rc1