CVE-2006-3665 - SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack coo

CVE-2006-3665

Summary

SquirrelMail 1.4.6 and earlier, with register_globals enabled, allows remote attackers to hijack cookies in src/redirect.php via unknown vectors. NOTE: while "cookie theft" is frequently associated with XSS, the vendor disclosure is too vague to be certain of this.

References

http://www.securityfocus.com/bid/17005
http://www.squirrelmail.org/changelog.php
http://www.vupen.com/english/advisories/2006/2708
https://exchange.xforce.ibmcloud.com/vulnerabilities/27632

Vulnerable Configurations

cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 20-07-2017 - 01:32)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:P/A:N

refmap via4

bid	17005
confirm	http://www.squirrelmail.org/changelog.php
vupen	ADV-2006-2708
xf	squirrelmail-redirect-cookie-hijack(27632)

Last major update

20-07-2017 - 01:32

Published

18-07-2006 - 15:47

Last modified

20-07-2017 - 01:32