CVE-2009-2964: CSRF
First published: Wed Aug 12 2009(Updated: )
Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/squirrelmail | <0:1.4.8-16.el3 | 0:1.4.8-16.el3 |
| redhat/squirrelmail | <0:1.4.8-5.el4_8.8 | 0:1.4.8-5.el4_8.8 |
| redhat/squirrelmail | <0:1.4.8-5.el5_4.10 | 0:1.4.8-5.el5_4.10 |
| SquirrelMail | <=1.4.19 | |
| SquirrelMail | =0.1.1 | |
| SquirrelMail | =0.1.2 | |
| SquirrelMail | =1.0 | |
| SquirrelMail | =1.0.1 | |
| SquirrelMail | =1.0.2 | |
| SquirrelMail | =1.0.3 | |
| SquirrelMail | =1.0.4 | |
| SquirrelMail | =1.0.5 | |
| SquirrelMail | =1.0.6 | |
| SquirrelMail | =1.0pre1 | |
| SquirrelMail | =1.0pre2 | |
| SquirrelMail | =1.0pre3 | |
| SquirrelMail | =1.1.0 | |
| SquirrelMail | =1.1.1 | |
| SquirrelMail | =1.1.2 | |
| SquirrelMail | =1.1.3 | |
| SquirrelMail | =1.2 | |
| SquirrelMail | =1.2.0 | |
| SquirrelMail | =1.2.0-rc3 | |
| SquirrelMail | =1.2.0_rc3 | |
| SquirrelMail | =1.2.1 | |
| SquirrelMail | =1.2.2 | |
| SquirrelMail | =1.2.3 | |
| SquirrelMail | =1.2.4 | |
| SquirrelMail | =1.2.5 | |
| SquirrelMail | =1.2.6 | |
| SquirrelMail | =1.2.6-rc1 | |
| SquirrelMail | =1.2.7 | |
| SquirrelMail | =1.2.8 | |
| SquirrelMail | =1.2.9 | |
| SquirrelMail | =1.2.10 | |
| SquirrelMail | =1.2.11 | |
| SquirrelMail | =1.3.0 | |
| SquirrelMail | =1.3.1 | |
| SquirrelMail | =1.3.2 | |
| SquirrelMail | =1.4 | |
| SquirrelMail | =1.4-rc1 | |
| SquirrelMail | =1.4.0 | |
| SquirrelMail | =1.4.0-rc1 | |
| SquirrelMail | =1.4.0-rc2a | |
| SquirrelMail | =1.4.0-r1 | |
| SquirrelMail | =1.4.0_rc1 | |
| SquirrelMail | =1.4.0_rc2a | |
| SquirrelMail | =1.4.1 | |
| SquirrelMail | =1.4.2 | |
| SquirrelMail | =1.4.2-r1 | |
| SquirrelMail | =1.4.2-r2 | |
| SquirrelMail | =1.4.2-r3 | |
| SquirrelMail | =1.4.2-r4 | |
| SquirrelMail | =1.4.2-r5 | |
| SquirrelMail | =1.4.3 | |
| SquirrelMail | =1.4.3-r3 | |
| SquirrelMail | =1.4.3-rc1 | |
| SquirrelMail | =1.4.3_r3 | |
| SquirrelMail | =1.4.3_rc1 | |
| SquirrelMail | =1.4.3_rc1-r1 | |
| SquirrelMail | =1.4.3a | |
| SquirrelMail | =1.4.3aa | |
| SquirrelMail | =1.4.4 | |
| SquirrelMail | =1.4.4-rc1 | |
| SquirrelMail | =1.4.4_rc1 | |
| SquirrelMail | =1.4.5 | |
| SquirrelMail | =1.4.5_rc1 | |
| SquirrelMail | =1.4.6 | |
| SquirrelMail | =1.4.6-rc1 | |
| SquirrelMail | =1.4.6_cvs | |
| SquirrelMail | =1.4.6_rc1 | |
| SquirrelMail | =1.4.7 | |
| SquirrelMail | =1.4.8 | |
| SquirrelMail | =1.4.8.4fc6 | |
| SquirrelMail | =1.4.9 | |
| SquirrelMail | =1.4.9a | |
| SquirrelMail | =1.4.10 | |
| SquirrelMail | =1.4.10a | |
| SquirrelMail | =1.4.11 | |
| SquirrelMail | =1.4.12 | |
| SquirrelMail | =1.4.13 | |
| SquirrelMail | =1.4.15 | |
| SquirrelMail | =1.4.15-rc1 | |
| SquirrelMail | =1.4.15_rc1 | |
| SquirrelMail | =1.4.15rc1 | |
| SquirrelMail | =1.4.16 | |
| SquirrelMail | =1.4.17 | |
| SquirrelMail | =1.4.18 | |
| SquirrelMail | =1.4_rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818
- http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html
- http://www.squirrelmail.org/security/issue/2009-08-12
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
- http://www.vupen.com/english/advisories/2009/2262
- https://bugzilla.redhat.com/show_bug.cgi?id=517312
- http://www.osvdb.org/57001
- http://secunia.com/advisories/36363
- http://secunia.com/advisories/34627
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
- http://www.securityfocus.com/bid/36196
- http://secunia.com/advisories/37415
- http://www.vupen.com/english/advisories/2009/3315
- http://osvdb.org/60469
- https://gna.org/forum/forum.php?forum_id=2146
- http://download.gna.org/nasmail/nasmail-1.7.zip
- http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
- http://secunia.com/advisories/40220
- http://www.vupen.com/english/advisories/2010/1481
- http://support.apple.com/kb/HT4188
- http://www.vupen.com/english/advisories/2010/2080
- http://www.debian.org/security/2010/dsa-2091
- http://secunia.com/advisories/40964
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
- http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
- http://jvn.jp/en/jp/JVN30881447/index.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
- http://secunia.com/advisories/34627/
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc11
- http://admin.fedoraproject.org/updates/squirrelmail-1.4.19-2.fc10
- https://access.redhat.com/security/cve/CVE-2009-2964
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2964
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=517312
- http://xforce.iss.net/xforce/xfdb/52406
- https://rhn.redhat.com/errata/RHSA-2009-1490.html
- https://www.cve.org/CVERecord?id=CVE-2009-2964 https://nvd.nist.gov/vuln/detail/CVE-2009-2964
- https://access.redhat.com/errata/RHSA-2009:1490
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-2964.json
Frequently Asked Questions
What is the severity of CVE-2009-2964?
CVE-2009-2964 is classified as a moderate severity vulnerability due to potential exploitation that can hijack user authentication.
How do I fix CVE-2009-2964?
To fix CVE-2009-2964, update SquirrelMail to version 1.4.20 or later.
Which versions are affected by CVE-2009-2964?
CVE-2009-2964 affects SquirrelMail versions 1.4.19 and earlier.
What type of vulnerability is CVE-2009-2964?
CVE-2009-2964 is a Cross-Site Request Forgery (CSRF) vulnerability.
Can CVE-2009-2964 lead to account takeover?
Yes, CVE-2009-2964 can allow attackers to hijack user sessions and perform unauthorized actions.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-2964
- agent/references
- agent/author
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- collector/redhat-cve
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- package-manager/redhat
- vendor/squirrelmail
- canonical/squirrelmail
- version/squirrelmail/1.4.19
- version/squirrelmail/0.1.1
- version/squirrelmail/0.1.2
- version/squirrelmail/1.0
- version/squirrelmail/1.0.1
- version/squirrelmail/1.0.2
- version/squirrelmail/1.0.3
- version/squirrelmail/1.0.4
- version/squirrelmail/1.0.5
- version/squirrelmail/1.0.6
- version/squirrelmail/1.0pre1
- version/squirrelmail/1.0pre2
- version/squirrelmail/1.0pre3
- version/squirrelmail/1.1.0
- version/squirrelmail/1.1.1
- version/squirrelmail/1.1.2
- version/squirrelmail/1.1.3
- version/squirrelmail/1.2
- version/squirrelmail/1.2.0
- version/squirrelmail/1.2.0-rc3
- version/squirrelmail/1.2.0_rc3
- version/squirrelmail/1.2.1
- version/squirrelmail/1.2.2
- version/squirrelmail/1.2.3
- version/squirrelmail/1.2.4
- version/squirrelmail/1.2.5
- version/squirrelmail/1.2.6
- version/squirrelmail/1.2.6-rc1
- version/squirrelmail/1.2.7
- version/squirrelmail/1.2.8
- version/squirrelmail/1.2.9
- version/squirrelmail/1.2.10
- version/squirrelmail/1.2.11
- version/squirrelmail/1.3.0
- version/squirrelmail/1.3.1
- version/squirrelmail/1.3.2
- version/squirrelmail/1.4
- version/squirrelmail/1.4-rc1
- version/squirrelmail/1.4.0
- version/squirrelmail/1.4.0-rc1
- version/squirrelmail/1.4.0-rc2a
- version/squirrelmail/1.4.0-r1
- version/squirrelmail/1.4.0_rc1
- version/squirrelmail/1.4.0_rc2a
- version/squirrelmail/1.4.1
- version/squirrelmail/1.4.2
- version/squirrelmail/1.4.2-r1
- version/squirrelmail/1.4.2-r2
- version/squirrelmail/1.4.2-r3
- version/squirrelmail/1.4.2-r4
- version/squirrelmail/1.4.2-r5
- version/squirrelmail/1.4.3
- version/squirrelmail/1.4.3-r3
- version/squirrelmail/1.4.3-rc1
- version/squirrelmail/1.4.3_r3
- version/squirrelmail/1.4.3_rc1
- version/squirrelmail/1.4.3_rc1-r1
- version/squirrelmail/1.4.3a
- version/squirrelmail/1.4.3aa
- version/squirrelmail/1.4.4
- version/squirrelmail/1.4.4-rc1
- version/squirrelmail/1.4.4_rc1
- version/squirrelmail/1.4.5
- version/squirrelmail/1.4.5_rc1
- version/squirrelmail/1.4.6
- version/squirrelmail/1.4.6-rc1
- version/squirrelmail/1.4.6_cvs
- version/squirrelmail/1.4.6_rc1
- version/squirrelmail/1.4.7
- version/squirrelmail/1.4.8
- version/squirrelmail/1.4.8.4fc6
- version/squirrelmail/1.4.9
- version/squirrelmail/1.4.9a
- version/squirrelmail/1.4.10
- version/squirrelmail/1.4.10a
- version/squirrelmail/1.4.11
- version/squirrelmail/1.4.12
- version/squirrelmail/1.4.13
- version/squirrelmail/1.4.15
- version/squirrelmail/1.4.15-rc1
- version/squirrelmail/1.4.15_rc1
- version/squirrelmail/1.4.15rc1
- version/squirrelmail/1.4.16
- version/squirrelmail/1.4.17
- version/squirrelmail/1.4.18
- version/squirrelmail/1.4_rc1