This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.
The remote webmail application is affected by a cross-site scripting
The installed version of SquirrelMail fails to sanitize user-supplied
input before using it in the 'contrib/decrypt_headers.php' script to
dynamically generate HTML.
An unauthenticated attacker can exploit this issue to launch
cross-site scripting attacks against the affected application.
There are also reportedly several other issues, including cross-site
scripting vulnerabilities, a code injection vulnerability, and a
session fixation vulnerability, though Nessus has not tested for
See also :
Upgrade to SquirrelMail 1.4.18 or later.
Risk factor :
Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.6
Public Exploit Available : true