CVE Tools

squirrelmail

Communicationsoss-project

56

Cumulative CVEs

22

Monthly snapshots

#15

Peak rank

Top products

Latest CVEs

The 15 most recently published vulnerabilities affecting squirrelmail.

CVE-2025-30090mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.7.2Apr 2, 2025
CVE-2020-14932compose.php in SquirrelMail 1.4.22 calls unserialize for the $mailtodata value, which originates from an HTTP GET request. This is related to mailto.php.9.8Jun 20, 2020
CVE-2020-14933compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP obje...8.8Jun 20, 2020
CVE-2012-5623Squirrelmail 4.0 uses the outdated MD5 hash algorithm for passwords.7.5Feb 13, 2020
CVE-2019-12970XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicio...6.1Jul 1, 2019
CVE-2018-14955The mail message display page in SquirrelMail through 1.4.22 has XSS via SVG animations (animate to attribute).6.1Aug 5, 2018
CVE-2018-14954The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute.6.1Aug 5, 2018
CVE-2018-14953The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math xlink:href=" attack.6.1Aug 5, 2018
CVE-2018-14952The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<math><maction xlink:href=" attack.6.1Aug 5, 2018
CVE-2018-14951The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<form action='data:text" attack.6.1Aug 5, 2018
CVE-2018-14950The mail message display page in SquirrelMail through 1.4.22 has XSS via a "<svg><a xlink:href=" attack.6.1Aug 5, 2018
CVE-2018-8741A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete) files from the hosting server, related to ../ in the att_local_name field in...8.8Mar 17, 2018
CVE-2017-7692SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a sendmail.cf file that is mishandled in a popen call. It's possible to exploi...8.8Apr 20, 2017
CVE-2012-2124functions/imap_general.php in SquirrelMail, as used in Red Hat Enterprise Linux (RHEL) 4 and 5, does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a deni...5.0Jan 18, 2013
CVE-2011-2753Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) th...6.8Jul 17, 2011