SquirrelMail contrib/decrypt_headers.php XSS
Medium Nessus Plugin ID 38793
SynopsisThe remote webmail application is affected by a cross-site scripting vulnerability.
DescriptionThe installed version of SquirrelMail fails to sanitize user-supplied input before using it in the 'contrib/decrypt_headers.php' script to dynamically generate HTML.
An unauthenticated attacker can exploit this issue to launch cross-site scripting attacks against the affected application.
There are also reportedly several other issues, including cross-site scripting vulnerabilities, a code injection vulnerability, and a session fixation vulnerability, though Nessus has not tested for these.
SolutionUpgrade to SquirrelMail 1.4.18 or later.