CVE-2006-6142: XSS
First published: Tue Dec 05 2006(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the (1) mailto parameter in (a) webmail.php, the (2) session and (3) delete_draft parameters in (b) compose.php, and (4) unspecified vectors involving "a shortcoming in the magicHTML filter."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SquirrelMail | =1.4 | |
| SquirrelMail | =1.4.1 | |
| SquirrelMail | =1.4.2 | |
| SquirrelMail | =1.4.3 | |
| SquirrelMail | =1.4.3_r3 | |
| SquirrelMail | =1.4.3_rc1 | |
| SquirrelMail | =1.4.3aa | |
| SquirrelMail | =1.4.4 | |
| SquirrelMail | =1.4.4_rc1 | |
| SquirrelMail | =1.4.5 | |
| SquirrelMail | =1.4.6 | |
| SquirrelMail | =1.4.6_cvs | |
| SquirrelMail | =1.4.6_rc1 | |
| SquirrelMail | =1.4.7 | |
| SquirrelMail | =1.4_rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://sourceforge.net/project/shownotes.php?release_id=468482
- http://squirrelmail.org/security/issue/2006-12-02
- http://www.securityfocus.com/bid/21414
- http://securitytracker.com/id?1017327
- http://secunia.com/advisories/23195
- https://issues.rpath.com/browse/RPL-849
- http://secunia.com/advisories/23322
- http://www.novell.com/linux/security/advisories/2006_29_sr.html
- http://secunia.com/advisories/23409
- http://www.debian.org/security/2006/dsa-1241
- http://secunia.com/advisories/23504
- http://fedoranews.org/cms/node/2438
- http://fedoranews.org/cms/node/2439
- http://www.redhat.com/support/errata/RHSA-2007-0022.html
- http://secunia.com/advisories/23811
- http://secunia.com/advisories/24004
- http://www.novell.com/linux/security/advisories/2007_4_sr.html
- http://docs.info.apple.com/article.html?artnum=306172
- http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:226
- http://www.securityfocus.com/bid/25159
- http://secunia.com/advisories/24284
- http://secunia.com/advisories/26235
- http://www.vupen.com/english/advisories/2007/2732
- http://www.vupen.com/english/advisories/2006/4828
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30695
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30694
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30693
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9988
Frequently Asked Questions
What is the severity of CVE-2006-6142?
CVE-2006-6142 is classified as a moderate severity vulnerability due to the potential for cross-site scripting attacks.
How do I fix CVE-2006-6142?
To fix CVE-2006-6142, upgrade to SquirrelMail version 1.4.10 or later where the vulnerabilities have been addressed.
What versions of SquirrelMail are affected by CVE-2006-6142?
CVE-2006-6142 affects SquirrelMail versions 1.4.0 through 1.4.9.
What types of attacks can be executed due to CVE-2006-6142?
The vulnerabilities in CVE-2006-6142 can allow remote attackers to inject arbitrary web script or HTML into the application.
Is there any workaround for CVE-2006-6142?
There are no official workarounds for CVE-2006-6142; upgrading to a secure version is recommended.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/author
- agent/severity
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/squirrelmail
- canonical/squirrelmail
- version/squirrelmail/1.4
- version/squirrelmail/1.4.1
- version/squirrelmail/1.4.2
- version/squirrelmail/1.4.3
- version/squirrelmail/1.4.3_r3
- version/squirrelmail/1.4.3_rc1
- version/squirrelmail/1.4.3aa
- version/squirrelmail/1.4.4
- version/squirrelmail/1.4.4_rc1
- version/squirrelmail/1.4.5
- version/squirrelmail/1.4.6
- version/squirrelmail/1.4.6_cvs
- version/squirrelmail/1.4.6_rc1
- version/squirrelmail/1.4.7
- version/squirrelmail/1.4_rc1