| ID |
CVE-2006-4019
|
| Summary |
Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users. This vulnerability is addressed in the following product release:
SquirrelMail, SquirrelMail, 1.4.8 |
| References |
|
| Vulnerable Configurations |
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3a:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3a:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4_rc1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.44:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.44:*:*:*:*:*:*:*
|
| CVSS |
| Base: | 6.4 (as of 17-10-2018 - 21:32) |
| Impact: | |
| Exploitability: | |
|
| CWE |
NVD-CWE-Other |
| CAPEC |
|
| Access |
| Vector | Complexity | Authentication |
| NETWORK |
LOW |
NONE |
|
| Impact |
| Confidentiality | Integrity | Availability |
| PARTIAL |
PARTIAL |
NONE |
|
| cvss-vector
via4
|
AV:N/AC:L/Au:N/C:P/I:P/A:N
|
| oval
via4
|
| accepted | 2013-04-29T04:14:36.438-04:00 | | class | vulnerability | | contributors | | name | Aharon Chernin | | organization | SCAP.com, LLC |
| name | Dragos Prisaca | | organization | G2, Inc. |
| | definition_extensions | | comment | The operating system installed on the system is Red Hat Enterprise Linux 3 | | oval | oval:org.mitre.oval:def:11782 |
| comment | CentOS Linux 3.x | | oval | oval:org.mitre.oval:def:16651 |
| comment | The operating system installed on the system is Red Hat Enterprise Linux 4 | | oval | oval:org.mitre.oval:def:11831 |
| comment | CentOS Linux 4.x | | oval | oval:org.mitre.oval:def:16636 |
| comment | Oracle Linux 4.x | | oval | oval:org.mitre.oval:def:15990 |
| | description | Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users. | | family | unix | | id | oval:org.mitre.oval:def:11533 | | status | accepted | | submitted | 2010-07-09T03:56:16-04:00 | | title | Dynamic variable evaluation vulnerability in compose.php in SquirrelMail 1.4.0 to 1.4.7 allows remote attackers to overwrite arbitrary program variables and read or write the attachments and preferences of other users. | | version | 30 |
|
| redhat
via4
|
| advisories | | bugzilla | | id | 1618173 | | title | CVE-2006-4019 security flaw |
| | oval | | OR | | comment | Red Hat Enterprise Linux must be installed | | oval | oval:com.redhat.rhba:tst:20070304026 |
| AND | | comment | Red Hat Enterprise Linux 4 is installed | | oval | oval:com.redhat.rhba:tst:20070304025 |
| comment | squirrelmail is earlier than 0:1.4.8-2.el4 | | oval | oval:com.redhat.rhsa:tst:20060668001 |
| comment | squirrelmail is signed with Red Hat master key | | oval | oval:com.redhat.rhsa:tst:20060283002 |
|
|
| | rhsa | | id | RHSA-2006:0668 | | released | 2006-09-26 | | severity | Moderate | | title | RHSA-2006:0668: squirrelmail security update (Moderate) |
|
| | rpms | - squirrelmail-0:1.4.8-2.el3
- squirrelmail-0:1.4.8-2.el4
|
|
| refmap
via4
|
| apple | APPLE-SA-2007-07-31 | | bid | | | bugtraq | - 20060811 SquirrelMail 1.4.8 released - fixes variable overwriting attack
- 20060811 rPSA-2006-0152-1 squirrelmail
| | confirm | | | debian | DSA-1154 | | fulldisc | 20060811 rPSA-2006-0152-1 squirrelmail | | mandriva | MDKSA-2006:147 | | misc | http://www.squirrelmail.org/patches/sqm1.4.7-expired-post-fix-full.patch | | osvdb | 27917 | | sectrack | 1016689 | | secunia | - 21354
- 21444
- 21586
- 22080
- 22104
- 22487
- 26235
| | sgi | 20061001-01-P | | suse | SUSE-SR:2006:023 | | vim | 20060811 SquirrelMail issue is dynamic variable evaluation | | vupen | - ADV-2006-3271
- ADV-2007-2732
| | xf | squirrelmail-compose-variable-overwrite(28365) |
|
| Last major update |
17-10-2018 - 21:32 |
| Published |
11-08-2006 - 21:04 |
| Last modified |
17-10-2018 - 21:32 |
