CVE-2002-1131
published 2002-10-04CVE-2002-1131: Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php…
PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.75%
97.7th percentile
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| squirrelmail | squirrelmail | <= 1.2.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/src/search.php?mailbox=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&what=x&where=BODY&submit=Search↗
url/src/search.php?mailbox=INBOX&what=x&where=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E&submit=Search↗
- →Detect XSS probe in HTTP response body: look for reflected 'alert(document.domain)' string in HTML response body alongside HTTP 200 and content-type text/html from SquirrelMail paths. ↗
- →Shodan/FOFA fingerprinting: identify exposed SquirrelMail instances via HTTP title 'squirrelmail' as a pre-exploitation reconnaissance indicator. ↗
- ·The vulnerability affects SquirrelMail 1.2.7 and earlier; the Nuclei template uses a wildcard CPE match, so version confirmation is needed before treating a detection as a true positive. ↗
- ·The Nuclei template uses 'stop-at-first-match: true', meaning only the first vulnerable endpoint will be confirmed per scan run; all five paths should be tested independently for full coverage. ↗
- ·Maximum request count for the detection template is 5 (one per vulnerable path); scanners should account for this when rate-limiting or batching requests. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pjvq-p3hx-m7q2: Cross-site scripting vulnerabilities in SquirrelMail 1
ghsa_unreviewed·2022-04-30
CVE-2002-1131 [HIGH] GHSA-pjvq-p3hx-m7q2: Cross-site scripting vulnerabilities in SquirrelMail 1
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.
VulnCheck
squirrelmail squirrelmail Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2002·CVSS 7.5
CVE-2002-1131 [HIGH] squirrelmail squirrelmail Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
squirrelmail squirrelmail Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.
Affected: squirrelmail squirrelmail
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2002-1131; https://www.labs.greynoise.io/grimoire/2025-12-26-coldfusion/
Red Hat
security flaw
vendor_redhat·2002-09-16·CVSS 7.5
CVE-2002-1131 [HIGH] security flaw
security flaw
Cross-site scripting vulnerabilities in SquirrelMail 1.2.7 and earlier allows remote attackers to execute script as other web users via (1) addressbook.php, (2) options.php, (3) search.php, or (4) help.php.
No detection rules found.
Exploit-DB
SquirrelMail 1.2.6/1.2.7 - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2002-09-19
CVE-2002-1131 SquirrelMail 1.2.6/1.2.7 - Multiple Cross-Site Scripting Vulnerabilities
SquirrelMail 1.2.6/1.2.7 - Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/5763/info
SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems.
Multiple cross site scripting vulnerabilities have been discovered in various PHP scripts included with SquirrelMail. By including embedded commands into a malicious link, it is possible for an attacker to execute HTML and script code on a web client in the context of the site hosting the webmail system.
This issue was reported for SquirrelMail 1.2.7, earlier versions may also be affected.
http://.net/webmail/src/addressbook.php?">alert(document.cookie).net/webmail/src/options.php?optpage=alert('boop!')
http://.net/w
Nuclei
SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting
nuclei·CVSS 7.5
CVE-2002-1131 [HIGH] SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting
SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting
The Virtual Keyboard plugin for SquirrelMail 1.2.6/1.2.7 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
Template:
id: CVE-2002-1131
info:
name: SquirrelMail 1.2.6/1.2.7 - Cross-Site Scripting
author: dhiyaneshDk,s4e-io
severity: high
description: The Virtual Keyboard plugin for SquirrelMail 1.2.6/1.2.7 is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, data theft, or other malicious activities.
remediation: |
Upgrade to a patched v
http://archives.neohapsis.com/archives/bugtraq/2002-09/0246.htmlhttp://sourceforge.net/project/shownotes.php?group_id=311&release_id=110774http://www.debian.org/security/2002/dsa-191http://www.iss.net/security_center/static/10145.phphttp://www.redhat.com/support/errata/RHSA-2002-204.htmlhttp://www.securityfocus.com/bid/5763http://archives.neohapsis.com/archives/bugtraq/2002-09/0246.htmlhttp://sourceforge.net/project/shownotes.php?group_id=311&release_id=110774http://www.debian.org/security/2002/dsa-191http://www.iss.net/security_center/static/10145.phphttp://www.redhat.com/support/errata/RHSA-2002-204.htmlhttp://www.securityfocus.com/bid/5763
2002-10-04
Published
Exploited in the wild