Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Open_webmail | Open_webmail | 2.30 (including) | 2.30 (including) |
| Open_webmail | Open_webmail | 2.31 (including) | 2.31 (including) |
| Open_webmail | Open_webmail | 2.32 (including) | 2.32 (including) |
| Propack | Sgi | 3.0 (including) | 3.0 (including) |
| Squirrelmail | Squirrelmail | 1.2.0 (including) | 1.2.0 (including) |
| Squirrelmail | Squirrelmail | 1.2.1 (including) | 1.2.1 (including) |
| Squirrelmail | Squirrelmail | 1.2.2 (including) | 1.2.2 (including) |
| Squirrelmail | Squirrelmail | 1.2.3 (including) | 1.2.3 (including) |
| Squirrelmail | Squirrelmail | 1.2.4 (including) | 1.2.4 (including) |
| Squirrelmail | Squirrelmail | 1.2.5 (including) | 1.2.5 (including) |
| Squirrelmail | Squirrelmail | 1.2.6 (including) | 1.2.6 (including) |
| Squirrelmail | Squirrelmail | 1.2.7 (including) | 1.2.7 (including) |
| Squirrelmail | Squirrelmail | 1.2.8 (including) | 1.2.8 (including) |
| Squirrelmail | Squirrelmail | 1.2.9 (including) | 1.2.9 (including) |
| Squirrelmail | Squirrelmail | 1.2.10 (including) | 1.2.10 (including) |
| Squirrelmail | Squirrelmail | 1.2.11 (including) | 1.2.11 (including) |
| Squirrelmail | Squirrelmail | 1.4 (including) | 1.4 (including) |
| Squirrelmail | Squirrelmail | 1.4.1 (including) | 1.4.1 (including) |
| Squirrelmail | Squirrelmail | 1.4.2 (including) | 1.4.2 (including) |
| Squirrelmail | Squirrelmail | 1.4.3_rc1 (including) | 1.4.3_rc1 (including) |
| Squirrelmail | Squirrelmail | 1.5_dev (including) | 1.5_dev (including) |