ID CVE-2005-2724
Summary Cross-site scripting (XSS) vulnerability in SqWebMail 5.0.4 allows remote attackers to inject arbitrary web script or HTML via a file attachment that is processed by the Display feature. NOTE: the severity of this issue has been disputed by the developer.
References
Vulnerable Configurations
  • cpe:2.3:a:inter7:sqwebmail:3.4.1
    cpe:2.3:a:inter7:sqwebmail:3.4.1
  • cpe:2.3:a:inter7:sqwebmail:3.5.0
    cpe:2.3:a:inter7:sqwebmail:3.5.0
  • cpe:2.3:a:inter7:sqwebmail:3.5.1
    cpe:2.3:a:inter7:sqwebmail:3.5.1
  • cpe:2.3:a:inter7:sqwebmail:3.5.2
    cpe:2.3:a:inter7:sqwebmail:3.5.2
  • cpe:2.3:a:inter7:sqwebmail:3.5.3
    cpe:2.3:a:inter7:sqwebmail:3.5.3
  • cpe:2.3:a:inter7:sqwebmail:3.6.0
    cpe:2.3:a:inter7:sqwebmail:3.6.0
  • cpe:2.3:a:inter7:sqwebmail:3.6.1
    cpe:2.3:a:inter7:sqwebmail:3.6.1
  • cpe:2.3:a:inter7:sqwebmail:4.0.4_2004-05-24
    cpe:2.3:a:inter7:sqwebmail:4.0.4_2004-05-24
  • cpe:2.3:a:inter7:sqwebmail:4.0.5
    cpe:2.3:a:inter7:sqwebmail:4.0.5
  • cpe:2.3:a:inter7:sqwebmail:4.0.6
    cpe:2.3:a:inter7:sqwebmail:4.0.6
  • cpe:2.3:a:inter7:sqwebmail:4.0.7
    cpe:2.3:a:inter7:sqwebmail:4.0.7
  • cpe:2.3:a:inter7:sqwebmail:5.0.0
    cpe:2.3:a:inter7:sqwebmail:5.0.0
  • cpe:2.3:a:inter7:sqwebmail:5.0.1
    cpe:2.3:a:inter7:sqwebmail:5.0.1
  • cpe:2.3:a:inter7:sqwebmail:5.0.4
    cpe:2.3:a:inter7:sqwebmail:5.0.4
CVSS
Base: 4.3 (as of 30-08-2005 - 08:38)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-201-1.NASL
    description Several Cross Site Scripting vulnerabilities were discovered in SqWebmail. A remote attacker could exploit this to execute arbitrary JavaScript or other active HTML embeddable content in the web browser of an SqWebmail user by sending specially crafted emails to him. Please note that the 'sqwebmail' package is not officially supported by Ubuntu (it is in the 'universe' section of the archive). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 20617
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20617
    title Ubuntu 4.10 / 5.04 : courier vulnerabilities (USN-201-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-793.NASL
    description Jakob Balle discovered a vulnerability in the handling of attachments in sqwebmail, a web mail application provided by the courier mail suite, which can be exploited by an attacker to conduct script insertion attacks.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 19563
    published 2005-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19563
    title Debian DSA-793-1 : courier - missing input sanitising
refmap via4
bid 14650
bugtraq 20050824 Secunia Research: SqWebMail Attached File Script Insertion
debian DSA-793
misc http://secunia.com/secunia_research/2005-35/advisory/
mlist [courier-users] 20050824 Re: [SECUNIA] Vulnerability in SqWebMail
secunia
  • 16539
  • 17156
ubuntu USN-201-1
xf sqwebmail-contenttype-script-execution(21997)
Last major update 17-10-2016 - 23:29
Published 30-08-2005 - 07:45
Last modified 10-07-2017 - 21:32
Back to Top