Description

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818

http://download.gna.org/nasmail/nasmail-1.7.zip

http://jvn.jp/en/jp/JVN30881447/index.html

http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html

http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html

http://osvdb.org/60469

http://secunia.com/advisories/34627

http://secunia.com/advisories/36363

http://secunia.com/advisories/37415

http://secunia.com/advisories/40220

http://secunia.com/advisories/40964

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818

http://support.apple.com/kb/HT4188

http://www.debian.org/security/2010/dsa-2091

http://www.mandriva.com/security/advisories?name=MDVSA-2009:222

http://www.osvdb.org/57001

http://www.securityfocus.com/bid/36196

http://www.squirrelmail.org/security/issue/2009-08-12

http://www.vupen.com/english/advisories/2009/2262

http://www.vupen.com/english/advisories/2009/3315

http://www.vupen.com/english/advisories/2010/1481

http://www.vupen.com/english/advisories/2010/2080

https://bugzilla.redhat.com/show_bug.cgi?id=517312

https://exchange.xforce.ibmcloud.com/vulnerabilities/52406

https://gna.org/forum/forum.php?forum_id=2146

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html

Details

Risk Information

CVSS v2