Vulnerability Name:

CVE-2011-2023 (CCN-68509)

Assigned:2011-07-10
Published:2011-07-10
Updated:2012-02-14
Summary:Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2011-2023

Source: APPLE
Type: UNKNOWN
APPLE-SA-2012-02-01-1

Source: CCN
Type: RHSA-2012-0103
Moderate: squirrelmail security update

Source: REDHAT
Type: UNKNOWN
RHSA-2012:0103

Source: CCN
Type: SA40019
exim Hardlink Handling and MBX Locking Two Weaknesses

Source: CCN
Type: SA45197
SquirrelMail Multiple Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1025766

Source: CCN
Type: SquirrelMail SVN Repository
SquirrelMail

Source: CONFIRM
Type: Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14121

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/kb/HT5130

Source: DEBIAN
Type: UNKNOWN
DSA-2291

Source: DEBIAN
Type: DSA-2291
squirrelmail -- various vulnerabilities

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2011:123

Source: CCN
Type: OSVDB ID: 74085
SquirrelMail functions/mime.php Email Message STYLE Tag XSS

Source: CCN
Type: BID-40451
Exim Sticky Mail Directory Local Privilege Escalation Vulnerability

Source: CCN
Type: BID-48648
SquirrelMail Multiple HTML Injection, Cross Site Scripting, and Security Bypass Vulnerabilities

Source: CCN
Type: SquirrelMail Web site
SquirrelMail - Webmail for Nuts!

Source: CCN
Type: SquirrelMail Web Page
XSS vulnerability in message display

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.squirrelmail.org/security/issue/2011-07-10

Source: CONFIRM
Type: Patch
https://bugzilla.redhat.com/show_bug.cgi?id=720695

Source: XF
Type: UNKNOWN
squirrelmail-message-xss(68509)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:squirrelmail:squirrelmail:0.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.3pre1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.3pre2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.4pre1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.4pre2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.5pre1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:0.5pre2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0pre1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0pre2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.0pre3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.6:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.0:rc2a:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.0-r1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2-r1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2-r2:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2-r3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2-r4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.2-r5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3:r3:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3a:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.3aa:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.5:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.6_cvs:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.8.4fc6:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.9a:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.10a:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.11:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.12:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.13:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.15:rc1:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.15rc1:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.16:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.17:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.18:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.19:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:1.4.20:*:*:*:*:*:*:*
  • OR cpe:/a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:* (Version <= 1.4.21)

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:squirrelmail:squirrelmail:1.4.21:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:14993
    P
    		DSA-2291-1 squirrelmail -- various
    2014-06-23
    oval:org.mitre.oval:def:23175
    P
    		ELSA-2012:0103: squirrelmail security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:21288
    P
    		RHSA-2012:0103: squirrelmail security update (Moderate)
    2014-02-24
    oval:com.redhat.rhsa:def:20120103
    P
    		RHSA-2012:0103: squirrelmail security update (Moderate)
    2012-02-08
    oval:com.ubuntu.precise:def:20112023000
    V
    		CVE-2011-2023 on Ubuntu 12.04 LTS (precise) - low.
    2011-07-14
    BACK
    squirrelmail squirrelmail 0.1
    squirrelmail squirrelmail 0.1.1
    squirrelmail squirrelmail 0.1.2
    squirrelmail squirrelmail 0.2
    squirrelmail squirrelmail 0.2.1
    squirrelmail squirrelmail 0.3
    squirrelmail squirrelmail 0.3.1
    squirrelmail squirrelmail 0.3pre1
    squirrelmail squirrelmail 0.3pre2
    squirrelmail squirrelmail 0.4
    squirrelmail squirrelmail 0.4pre1
    squirrelmail squirrelmail 0.4pre2
    squirrelmail squirrelmail 0.5
    squirrelmail squirrelmail 0.5pre1
    squirrelmail squirrelmail 0.5pre2
    squirrelmail squirrelmail 1.0
    squirrelmail squirrelmail 1.0.1
    squirrelmail squirrelmail 1.0.2
    squirrelmail squirrelmail 1.0.3
    squirrelmail squirrelmail 1.0.4
    squirrelmail squirrelmail 1.0.5
    squirrelmail squirrelmail 1.0.6
    squirrelmail squirrelmail 1.0pre1
    squirrelmail squirrelmail 1.0pre2
    squirrelmail squirrelmail 1.0pre3
    squirrelmail squirrelmail 1.1.0
    squirrelmail squirrelmail 1.1.1
    squirrelmail squirrelmail 1.1.2
    squirrelmail squirrelmail 1.1.3
    squirrelmail squirrelmail 1.2
    squirrelmail squirrelmail 1.2.0
    squirrelmail squirrelmail 1.2.0 rc3
    squirrelmail squirrelmail 1.2.1
    squirrelmail squirrelmail 1.2.2
    squirrelmail squirrelmail 1.2.3
    squirrelmail squirrelmail 1.2.4
    squirrelmail squirrelmail 1.2.5
    squirrelmail squirrelmail 1.2.6
    squirrelmail squirrelmail 1.2.6 rc1
    squirrelmail squirrelmail 1.2.7
    squirrelmail squirrelmail 1.2.8
    squirrelmail squirrelmail 1.2.9
    squirrelmail squirrelmail 1.2.10
    squirrelmail squirrelmail 1.2.11
    squirrelmail squirrelmail 1.3.0
    squirrelmail squirrelmail 1.3.1
    squirrelmail squirrelmail 1.3.2
    squirrelmail squirrelmail 1.4
    squirrelmail squirrelmail 1.4 rc1
    squirrelmail squirrelmail 1.4.0
    squirrelmail squirrelmail 1.4.0 rc1
    squirrelmail squirrelmail 1.4.0 rc2a
    squirrelmail squirrelmail 1.4.0-r1
    squirrelmail squirrelmail 1.4.1
    squirrelmail squirrelmail 1.4.2
    squirrelmail squirrelmail 1.4.2-r1
    squirrelmail squirrelmail 1.4.2-r2
    squirrelmail squirrelmail 1.4.2-r3
    squirrelmail squirrelmail 1.4.2-r4
    squirrelmail squirrelmail 1.4.2-r5
    squirrelmail squirrelmail 1.4.3
    squirrelmail squirrelmail 1.4.3 r3
    squirrelmail squirrelmail 1.4.3 rc1
    squirrelmail squirrelmail 1.4.3a
    squirrelmail squirrelmail 1.4.3aa
    squirrelmail squirrelmail 1.4.4
    squirrelmail squirrelmail 1.4.4 rc1
    squirrelmail squirrelmail 1.4.5
    squirrelmail squirrelmail 1.4.5 rc1
    squirrelmail squirrelmail 1.4.6
    squirrelmail squirrelmail 1.4.6 rc1
    squirrelmail squirrelmail 1.4.6_cvs
    squirrelmail squirrelmail 1.4.7
    squirrelmail squirrelmail 1.4.8
    squirrelmail squirrelmail 1.4.8.4fc6
    squirrelmail squirrelmail 1.4.9
    squirrelmail squirrelmail 1.4.9a
    squirrelmail squirrelmail 1.4.10
    squirrelmail squirrelmail 1.4.10a
    squirrelmail squirrelmail 1.4.11
    squirrelmail squirrelmail 1.4.12
    squirrelmail squirrelmail 1.4.13
    squirrelmail squirrelmail 1.4.15
    squirrelmail squirrelmail 1.4.15 rc1
    squirrelmail squirrelmail 1.4.15rc1
    squirrelmail squirrelmail 1.4.16
    squirrelmail squirrelmail 1.4.17
    squirrelmail squirrelmail 1.4.18
    squirrelmail squirrelmail 1.4.19
    squirrelmail squirrelmail 1.4.20
    squirrelmail squirrelmail *
    squirrelmail squirrelmail 1.4.21
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 5
    redhat enterprise linux 5