ID |
CVE-2006-6142
|
Summary |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter." |
References |
|
Vulnerable Configurations |
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3aa:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3aa:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_cvs:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_cvs:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4_rc1:*:*:*:*:*:*:*
cpe:2.3:a:squirrelmail:squirrelmail:1.4_rc1:*:*:*:*:*:*:*
|
CVSS |
Base: | 6.8 (as of 11-10-2017 - 01:31) |
Impact: | |
Exploitability: | |
|
CWE |
NVD-CWE-Other |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
MEDIUM |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
PARTIAL |
PARTIAL |
PARTIAL |
|
cvss-vector
via4
|
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
oval
via4
|
accepted | 2013-04-29T04:23:55.853-04:00 | class | vulnerability | contributors | name | Aharon Chernin | organization | SCAP.com, LLC |
name | Dragos Prisaca | organization | G2, Inc. |
| definition_extensions | comment | The operating system installed on the system is Red Hat Enterprise Linux 3 | oval | oval:org.mitre.oval:def:11782 |
comment | CentOS Linux 3.x | oval | oval:org.mitre.oval:def:16651 |
comment | The operating system installed on the system is Red Hat Enterprise Linux 4 | oval | oval:org.mitre.oval:def:11831 |
comment | CentOS Linux 4.x | oval | oval:org.mitre.oval:def:16636 |
comment | Oracle Linux 4.x | oval | oval:org.mitre.oval:def:15990 |
| description | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter." | family | unix | id | oval:org.mitre.oval:def:9988 | status | accepted | submitted | 2010-07-09T03:56:16-04:00 | title | Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter." | version | 29 |
|
redhat
via4
|
advisories | bugzilla | id | 218297 | title | CVE-2006-6142 Three XSS issues in SquirrelMail |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 4 is installed | oval | oval:com.redhat.rhba:tst:20070304025 |
comment | squirrelmail is earlier than 0:1.4.8-4.el4 | oval | oval:com.redhat.rhsa:tst:20070022001 |
comment | squirrelmail is signed with Red Hat master key | oval | oval:com.redhat.rhsa:tst:20060283002 |
|
|
| rhsa | id | RHSA-2007:0022 | released | 2007-01-31 | severity | Moderate | title | RHSA-2007:0022: squirrelmail security update (Moderate) |
|
| rpms | - squirrelmail-0:1.4.8-4.el3
- squirrelmail-0:1.4.8-4.el4
|
|
refmap
via4
|
apple | APPLE-SA-2007-07-31 | bid | | confirm | | debian | DSA-1241 | fedora | - FEDORA-2007-088
- FEDORA-2007-089
| mandriva | MDKSA-2006:226 | sectrack | 1017327 | secunia | - 23195
- 23322
- 23409
- 23504
- 23811
- 24004
- 24284
- 26235
| sgi | 20070201-01-P | suse | - SUSE-SR:2006:029
- SUSE-SR:2007:004
| vupen | - ADV-2006-4828
- ADV-2007-2732
| xf | - squirrelmail-magichtml-messages-xss(30694)
- squirrelmail-mimeheader-xss(30695)
- squirrelmail-webmail-compose-xss(30693)
|
|
statements
via4
|
contributor | Mark J Cox | lastmodified | 2007-03-14 | organization | Red Hat | statement | Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch. |
|
Last major update |
11-10-2017 - 01:31 |
Published |
05-12-2006 - 11:28 |
Last modified |
11-10-2017 - 01:31 |