Vulnerability Name:

CVE-2007-1262 (CCN-34815)

Assigned:2007-05-09
Published:2007-05-09
Updated:2017-10-11
Summary:Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: BugTraq Mailing List, Thu May 10 2007 - 07:02:20 CDT
squirrelmail CSRF vulnerability

Source: MITRE
Type: CNA
CVE-2007-1262

Source: CCN
Type: Apple Security Update 2007-007
About Security Update 2007-007

Source: CONFIRM
Type: UNKNOWN
http://docs.info.apple.com/article.html?artnum=306172

Source: CCN
Type: Apple Web site
Apple security updates

Source: JVN
Type: UNKNOWN
JVN#09157962

Source: JVNDB
Type: UNKNOWN
JVNDB-2007-000398

Source: APPLE
Type: UNKNOWN
APPLE-SA-2007-07-31

Source: OSVDB
Type: UNKNOWN
35887

Source: OSVDB
Type: UNKNOWN
35888

Source: CCN
Type: RHSA-2007-0358
Moderate: squirrelmail security update

Source: CCN
Type: SA25200
SquirrelMail Cross-Site Scripting and Request Forgery Vulnerabilities

Source: SECUNIA
Type: Patch, Vendor Advisory
25200

Source: SECUNIA
Type: UNKNOWN
25236

Source: SECUNIA
Type: UNKNOWN
25320

Source: SECUNIA
Type: UNKNOWN
25690

Source: SECUNIA
Type: UNKNOWN
25787

Source: CCN
Type: SA26235
Mac OS X Security Update Fixes Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
26235

Source: CCN
Type: SECTRACK ID: 1018033
SquirrelMail Input Validation Holes in HTML Filter Permit Cross-Site Scripting Attacks

Source: CCN
Type: SourceForge.net
SquirrelMail

Source: CCN
Type: ASA-2007-262
squirrelmail security update (RHSA-2007-0358)

Source: DEBIAN
Type: UNKNOWN
DSA-1290

Source: DEBIAN
Type: DSA-1290
squirrelmail -- missing input sanitising

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2007:106

Source: SUSE
Type: UNKNOWN
SUSE-SR:2007:013

Source: CCN
Type: OSVDB ID: 35887
SquirrelMail HTML E-mail Attachment Data URI XSS

Source: CCN
Type: OSVDB ID: 35888
SquirrelMail with MSIE Unspecified Non-ASCII Character Set XSS

Source: BID
Type: UNKNOWN
23910

Source: CCN
Type: BID-23910
SquirrelMail Multiple Cross Site Scripting Vulnerabilities

Source: BID
Type: UNKNOWN
25159

Source: CCN
Type: BID-25159
Apple Mac OS X 2007-007 Multiple Security Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1018033

Source: CCN
Type: SquirrelMail Security Advisory 2007-05-09
Cross site scripting in HTML filter

Source: CONFIRM
Type: UNKNOWN
http://www.squirrelmail.org/security/issue/2007-05-09

Source: VUPEN
Type: UNKNOWN
ADV-2007-1748

Source: VUPEN
Type: UNKNOWN
ADV-2007-2732

Source: XF
Type: UNKNOWN
squirrelmail-multiple-xss(34815)

Source: CONFIRM
Type: UNKNOWN
https://issues.rpath.com/browse/RPL-1353

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11712

Source: REDHAT
Type: UNKNOWN
RHSA-2007:0358

Source: SUSE
Type: SUSE-SR:2007:013
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3a:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3aa:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6_cvs:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.9a:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

  • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

  • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

  • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

  • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

  • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20071262
    V
    CVE-2007-1262
    2015-11-16
    oval:org.mitre.oval:def:17997
    P
    DSA-1290-1 squirrelmail
    2014-06-23
    oval:org.mitre.oval:def:22600
    P
    ELSA-2007:0358: squirrelmail security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:11712
    V
    Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.
    2013-04-29
    oval:com.redhat.rhsa:def:20070358
    P
    RHSA-2007:0358: squirrelmail security update (Moderate)
    2007-05-17
    oval:org.debian:def:1290
    V
    missing input sanitising
    2007-05-13
    BACK
    squirrelmail squirrelmail 1.4.0
    squirrelmail squirrelmail 1.4.1
    squirrelmail squirrelmail 1.4.2
    squirrelmail squirrelmail 1.4.3
    squirrelmail squirrelmail 1.4.3_r3
    squirrelmail squirrelmail 1.4.3_rc1
    squirrelmail squirrelmail 1.4.3a
    squirrelmail squirrelmail 1.4.3aa
    squirrelmail squirrelmail 1.4.4
    squirrelmail squirrelmail 1.4.4_rc1
    squirrelmail squirrelmail 1.4.5
    squirrelmail squirrelmail 1.4.6
    squirrelmail squirrelmail 1.4.6_cvs
    squirrelmail squirrelmail 1.4.6_rc1
    squirrelmail squirrelmail 1.4.7
    squirrelmail squirrelmail 1.4.8
    squirrelmail squirrelmail 1.4.9
    squirrelmail squirrelmail 1.4.9a