CVE-2009-0030

Red Hat SquirrelMail <1.4.8 - Info Disclosure

Title source: llm

Description

A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.

References (9)

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

[Vendor Advisory] http://secunia.com/advisories/33611

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=480224

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=480488

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/48115

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10366

[Vendor Advisory] https://rhn.redhat.com/errata/RHSA-2009-0057.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/33354

[Third Party Advisory, VDB Entry] http://securitytracker.com/id?1021611

Scores

EPSS 0.0105

EPSS Percentile 77.3%

Classification

CWE

CWE-287

Status draft

Affected Products (1)

squirrelmail/squirrelmail

Timeline

Published Jan 21, 2009

Tracked Since Feb 18, 2026