Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-2964

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2009-2964
Last Modified 14 Jan 2011 01:35:49
Published 25 Aug 2009 01:30:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-2964

Summary

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.

Vulnerable Systems

Application

  • Squirrelmail 0.1.1

  • Squirrelmail 0.1.2

  • Squirrelmail 1.0

  • Squirrelmail 1.0.1

  • Squirrelmail 1.0.2

  • Squirrelmail 1.0.3

  • Squirrelmail 1.0.4

  • Squirrelmail 1.0.5

  • Squirrelmail 1.0.6

  • Squirrelmail 1.0pre1

  • Squirrelmail 1.0pre2

  • Squirrelmail 1.0pre3

  • Squirrelmail 1.1.0

  • Squirrelmail 1.1.1

  • Squirrelmail 1.1.2

  • Squirrelmail 1.1.3

  • Squirrelmail 1.2

  • Squirrelmail 1.2.0

  • Squirrelmail 1.2.0 Rc3

  • Squirrelmail 1.2.1

  • Squirrelmail 1.2.10

  • Squirrelmail 1.2.11

  • Squirrelmail 1.2.2

  • Squirrelmail 1.2.3

  • Squirrelmail 1.2.4

  • Squirrelmail 1.2.5

  • Squirrelmail 1.2.6

  • Squirrelmail 1.2.6-rc1

  • Squirrelmail 1.2.7

  • Squirrelmail 1.2.8

  • Squirrelmail 1.2.9

  • Squirrelmail 1.3.0

  • Squirrelmail 1.3.1

  • Squirrelmail 1.3.2

  • Squirrelmail 1.4

  • Squirrelmail 1.4 Rc1

  • Squirrelmail 1.4.0

  • Squirrelmail 1.4.0 Rc1

  • Squirrelmail 1.4.0 Rc2a

  • Squirrelmail 1.4.0-r1

  • Squirrelmail 1.4.1

  • Squirrelmail 1.4.10

  • Squirrelmail 1.4.10a

  • Squirrelmail 1.4.11

  • Squirrelmail 1.4.12

  • Squirrelmail 1.4.13

  • Squirrelmail 1.4.15

  • Squirrelmail 1.4.15 Rc1

  • Squirrelmail 1.4.15rc1

  • Squirrelmail 1.4.16

  • Squirrelmail 1.4.17

  • Squirrelmail 1.4.18

  • Squirrelmail 1.4.19

  • Squirrelmail 1.4.2

  • Squirrelmail 1.4.2-r1

  • Squirrelmail 1.4.2-r2

  • Squirrelmail 1.4.2-r3

  • Squirrelmail 1.4.2-r4

  • Squirrelmail 1.4.2-r5

  • Squirrelmail 1.4.3

  • Squirrelmail 1.4.3 R3

  • Squirrelmail 1.4.3 Rc1

  • Squirrelmail 1.4.3a

  • Squirrelmail 1.4.3aa

  • Squirrelmail 1.4.4

  • Squirrelmail 1.4.4 Rc1

  • Squirrelmail 1.4.5

  • Squirrelmail 1.4.5 Rc1

  • Squirrelmail 1.4.6

  • Squirrelmail 1.4.6 Cvs

  • Squirrelmail 1.4.6 Rc1

  • Squirrelmail 1.4.7

  • Squirrelmail 1.4.8

  • Squirrelmail 1.4.8.4fc6

  • Squirrelmail 1.4.9

  • Squirrelmail 1.4.9a


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=517312

VUPEN - ADV-2009-2262

CONFIRM - http://www.squirrelmail.org/security/issue/2009-08-12

CONFIRM - http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818

CONFIRM - http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818

FEDORA - FEDORA-2009-8822

FEDORA - FEDORA-2009-8797

CONFIRM - https://gna.org/forum/forum.php?forum_id=2146

XF - squirrelmail-unspecified-csrf(52406)

VUPEN - ADV-2010-2080

VUPEN - ADV-2010-1481

VUPEN - ADV-2009-3315

BID - 36196

OSVDB - 57001

MANDRIVA - MDVSA-2009:222

DEBIAN - DSA-2091

CONFIRM - http://support.apple.com/kb/HT4188

SECUNIA - 40964

SECUNIA - 40220

SECUNIA - 37415

SECUNIA - 36363

SECUNIA - 34627

OSVDB - 60469

APPLE - APPLE-SA-2010-06-15-1

JVNDB - JVNDB-2009-002207

JVN - JVN#30881447

CONFIRM - http://download.gna.org/nasmail/nasmail-1.7.zip

CONFIRM - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818

Related Patches

Apple 2010-06-15 Mac OS X 10.6.4 Update Mac mini (Mid 2010)

Apple 2010-06-15 Mac OS X Server 10.6.4 Update Mac mini (Mid 2010)

Red Hat 2009:1490-01 RHSA Moderate: squirrelmail security update for RHEL 5 x86


Last Updated: 27 May 2016 10:51:04