How to Buy
This script is Copyright (C) 2004-2015 Tenable Network Security, Inc.
The remote host has an application that is affected by
multiple cross-site scripting vulnerabilities.
The target is running at least one instance of SquirrelMail whose
version number is between 1.2.0 and 1.2.10 inclusive. Such versions do
not properly sanitize From headers, leaving users vulnerable to XSS
attacks. Further, since SquirrelMail displays From headers when listing
a folder, attacks does not require a user to actually open a message,
only view the folder listing.
For example, a remote attacker could effectively launch a DoS against
a user by sending a message with a From header such as :
which rewrites the session ID cookie and effectively logs the user
***** Nessus has determined the vulnerability exists on the target
***** simply by looking at the version number(s) of Squirrelmail
***** installed there.
Upgrade to SquirrelMail 1.2.11 or later or wrap the call to
sqimap_find_displayable_name in printMessageInfo in
functions/mailbox_display.php with a call to htmlentities.
Risk factor :
Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.7
Public Exploit Available : true
Family: CGI abuses : XSS
Nessus Plugin ID: 14217 ()
Bugtraq ID: 10450
CVE ID: CVE-2004-0639
Nessus Professional: Scan unlimited IPs, run compliance checks & moreNessus Cloud: The power of Nessus for teams – from the cloud
The cookie settings on this website are set to 'allow all cookies' to give you the very best website experience. If you continue without changing these settings, you consent to this - but if you want, you can opt out of all cookies by clicking below.