CVE-2004-0520

Current Description

Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.

Basic Data

PublishedAugust 18, 2004
Last ModifiedOctober 11, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegetrue

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOpen WebmailOpen Webmail2.30*******
    2.3ApplicationOpen WebmailOpen Webmail2.31*******
    2.3ApplicationOpen WebmailOpen Webmail2.32*******
    2.3ApplicationSgiPropack3.0*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.0*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.1*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.2*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.3*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.4*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.5*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.6*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.7*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.8*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.9*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.10*******
    2.3ApplicationSquirrelmailSquirrelmail1.2.11*******
    2.3ApplicationSquirrelmailSquirrelmail1.4*******
    2.3ApplicationSquirrelmailSquirrelmail1.4.1*******
    2.3ApplicationSquirrelmailSquirrelmail1.4.2*******
    2.3ApplicationSquirrelmailSquirrelmail1.4.3_rc1*******
    2.3ApplicationSquirrelmailSquirrelmail1.5_dev*******

Vulnerable Software List

VendorProductVersions
Squirrelmail Squirrelmail 1.2.0, 1.2.1, 1.2.10, 1.2.11, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.4, 1.4.1, 1.4.2, 1.4.3_rc1, 1.5_dev
Sgi Propack 3.0
Open Webmail Open Webmail 2.30, 2.31, 2.32

References

NameSourceURLTags
20040604-01-Uftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.ascSGIPATCH
CLA-2004:858http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858CONECTIVA
20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerabilityhttp://marc.info/?l=bugtraq&m=108611554415078&w=2BUGTRAQ
[squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28http://marc.info/?l=squirrelmail-cvs&m=108532891231712MLIST
RHSA-2004:240http://rhn.redhat.com/errata/RHSA-2004-240.htmlREDHATPATCH Vendor Advisory
11870http://secunia.com/advisories/11870SECUNIAPATCH Vendor Advisory
12289http://secunia.com/advisories/12289SECUNIAPATCH Vendor Advisory
DSA-535http://www.debian.org/security/2004/dsa-535DEBIANPATCH Vendor Advisory
GLSA-200406-08http://www.gentoo.org/security/en/glsa/glsa-200406-08.xmlGENTOOVendor Advisory
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txthttp://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txtMISCVendor Advisory
FEDORA-2004-160http://www.securityfocus.com/advisories/6827FEDORAPATCH Vendor Advisory
10439http://www.securityfocus.com/bid/10439BIDExploit PATCH
FEDORA-2004-1733https://bugzilla.fedora.us/show_bug.cgi?id=1733FEDORAPATCH
oval:org.mitre.oval:def:1012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1012OVAL
oval:org.mitre.oval:def:10766https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10766OVAL