Description
Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by anonymous · textwebappsphp
https://www.exploit-db.com/exploits/24167
References (7)
Core 7
Core References
Issue Tracking x_refsource_confirm
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973
Vendor Advisory x_refsource_misc
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16285
Mailing List mailing-list
x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=108611554415078&w=2
Patch, Vendor Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2004/dsa-535
Vendor Advisory vendor-advisory
x_refsource_conectiva
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858
Exploit, Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/10450
Scores
EPSS
0.0363
EPSS Percentile
87.9%
Details
Status
published
Products (21)
open_webmail/open_webmail
2.30
open_webmail/open_webmail
2.31
open_webmail/open_webmail
2.32
sgi/propack
3.0
squirrelmail/squirrelmail
1.2.0
squirrelmail/squirrelmail
1.2.1
squirrelmail/squirrelmail
1.2.2
squirrelmail/squirrelmail
1.2.3
squirrelmail/squirrelmail
1.2.4
squirrelmail/squirrelmail
1.2.5
... and 11 more
Published
Aug 06, 2004
Tracked Since
Feb 18, 2026