CVE-2009-0030
First published: Sat Jan 17 2009(Updated: )
A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SquirrelMail | =1.4.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://securitytracker.com/id?1021611
- https://rhn.redhat.com/errata/RHSA-2009-0057.html
- https://bugzilla.redhat.com/show_bug.cgi?id=480488
- https://bugzilla.redhat.com/show_bug.cgi?id=480224
- http://www.securityfocus.com/bid/33354
- http://secunia.com/advisories/33611
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/48115
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10366
- https://access.redhat.com/security/cve/CVE-2008-3663
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=480224
- http://rhn.redhat.com/errata/RHSA-2009-0057.html
Frequently Asked Questions
What is the severity of CVE-2009-0030?
CVE-2009-0030 is classified as a medium severity vulnerability due to the potential for unauthorized access to user data.
How do I fix CVE-2009-0030?
To fix CVE-2009-0030, update SquirrelMail to a version that addresses this cookie management issue.
What software is affected by CVE-2009-0030?
CVE-2009-0030 specifically affects SquirrelMail version 1.4.8.
What type of vulnerability is CVE-2009-0030?
CVE-2009-0030 is a session management vulnerability that allows access to other users' session data.
Who can exploit CVE-2009-0030?
CVE-2009-0030 can be exploited by remote authenticated users who can manipulate the session cookie.
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-0030
- agent/trending
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- vendor/squirrelmail
- canonical/squirrelmail
- version/squirrelmail/1.4.8