Description
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.
References (9)
Core 9
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://rhn.redhat.com/errata/RHSA-2009-0057.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/33611
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=480488
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=480224
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10366
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/48115
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1021611
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/33354
Scores
EPSS
0.0168
EPSS Percentile
73.9%
Details
CWE
CWE-287
Status
published
Products (1)
squirrelmail/squirrelmail
1.4.8
Published
Jan 21, 2009
Tracked Since
Feb 18, 2026