Squirrelmail Cross-site Scripting

Why it can be dangerous and how to fix it

This article is a part of our Vulnerability Database (back to index)

Cross-site Scripting occurrences in Squirrelmail

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element. (2019-07-01, CVE-2019-12970)

The mail message display page in SquirrelMail through 1.4.22 has XSS via a "

<span>Confirmation: <script>dangerous javascript code here</script></span>

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free