CVE-2009-2964
SquirrelMail < 1.4.19 - Cross-Site Request Forgery via Multiple Endpoints
Title source: llmDescription
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.
References (29)
Core 29
Core References
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html
Various Sources x_refsource_confirm
https://gna.org/forum/forum.php?forum_id=2146
Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=517312
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
Vendor Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
Patch, Vendor Advisory x_refsource_confirm
http://www.squirrelmail.org/security/issue/2009-08-12
Patch, Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2262
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1481
Various Sources x_refsource_confirm
http://download.gna.org/nasmail/nasmail-1.7.zip
Patch x_refsource_confirm
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818
Third Party Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN30881447/index.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34627
Issue Tracking x_refsource_confirm
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2010/dsa-2091
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4188
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/40220
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/60469
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/40964
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2080
Patch x_refsource_confirm
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/36196
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37415
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/36363
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3315
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/57001
Third Party Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
Scores
EPSS
0.0152
EPSS Percentile
71.6%
Details
CWE
CWE-352
Status
published
Products (46)
squirrelmail/squirrelmail
0.1.1
squirrelmail/squirrelmail
0.1.2
squirrelmail/squirrelmail
1.0
squirrelmail/squirrelmail
1.0.1
squirrelmail/squirrelmail
1.0.2
squirrelmail/squirrelmail
1.0.3
squirrelmail/squirrelmail
1.0.4
squirrelmail/squirrelmail
1.0.5
squirrelmail/squirrelmail
1.0.6
squirrelmail/squirrelmail
1.0pre1
... and 36 more
Published
Aug 25, 2009
Tracked Since
Feb 18, 2026