CVE-2004-0519
published 2004-08-18CVE-2004-0519: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal…
PriorityP433medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
22.53%
97.4th percentile
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sgi | propack | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
| squirrelmail | squirrelmail | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w2mg-247r-4xfc: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1
ghsa_unreviewed·2022-05-03
CVE-2004-0519 [MEDIUM] GHSA-w2mg-247r-4xfc: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
Red Hat
security flaw
vendor_redhat·2004-04-29·CVSS 6.8
CVE-2004-0519 [MEDIUM] security flaw
security flaw
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
No detection rules found.
Exploit-DB
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
exploitdb·2004-04-30
CVE-2004-0519 SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/10246/info
It has been reported that SquirrelMail is affected by a cross-site scripting vulnerability in the handling of folder name displays. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamic web content.
This issue may allow for theft of cookie-based authentication credentials. Other attacks are also possible.
http://www.example.com/mail/src/compose.php?mailbox="> window.alert(document.cookie)
Nuclei
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
nuclei·CVSS 6.8
CVE-2004-0519 [MEDIUM] SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
Template:
id: CVE-2004-0519
info:
name: SquirrelMail 1.4.x - Folder Name Cross-Site Scripting
author: dhiyaneshDk
severity: medium
description: Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary J
ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.aschttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858http://marc.info/?l=bugtraq&m=108334862800260http://rhn.redhat.com/errata/RHSA-2004-240.htmlhttp://secunia.com/advisories/11531http://secunia.com/advisories/11686http://secunia.com/advisories/11870http://secunia.com/advisories/12289http://security.gentoo.org/glsa/glsa-200405-16.xmlhttp://www.debian.org/security/2004/dsa-535http://www.novell.com/linux/security/advisories/2005_19_sr.htmlhttp://www.securityfocus.com/advisories/6827http://www.securityfocus.com/archive/1/361857http://www.securityfocus.com/bid/10246https://bugzilla.fedora.us/show_bug.cgi?id=1733https://exchange.xforce.ibmcloud.com/vulnerabilities/16025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1006https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10274ftp://patches.sgi.com/support/free/security/advisories/20040604-01-U.aschttp://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000858http://marc.info/?l=bugtraq&m=108334862800260http://rhn.redhat.com/errata/RHSA-2004-240.htmlhttp://secunia.com/advisories/11531http://secunia.com/advisories/11686http://secunia.com/advisories/11870http://secunia.com/advisories/12289http://security.gentoo.org/glsa/glsa-200405-16.xmlhttp://www.debian.org/security/2004/dsa-535http://www.novell.com/linux/security/advisories/2005_19_sr.htmlhttp://www.securityfocus.com/advisories/6827http://www.securityfocus.com/archive/1/361857http://www.securityfocus.com/bid/10246https://bugzilla.fedora.us/show_bug.cgi?id=1733https://exchange.xforce.ibmcloud.com/vulnerabilities/16025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1006https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10274
2004-08-18
Published