CVE-2009-2964

CVSS V2 Medium 6.8 CVSS V3 None

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.

Overview

CVE ID
CVE-2009-2964

Assigner
cve@mitre.org

Vulnerability Status
Modified

Published Version
2009-08-25T17:30:01

Last Modified Date
2017-09-19T01:29:22

Weakness Enumerations

CWE	URL
CWE-352	http://cwe.mitre.org/data/definitions/352.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
cpe:2.3:a:squirrelmail:squirrelmail::::::::	1	OR	1.4.19
cpe:2.3:a:squirrelmail:squirrelmail:0.1.1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:0.1.2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0.1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0.2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0.3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0.4:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0.5:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0.6:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0pre1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0pre2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.0pre3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.1.0:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.1.1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.1.2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.1.3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:rc3::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.0_rc3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.4:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.5:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.6-rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.7:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.8:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.9:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.10:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.2.11:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.3.0:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.3.1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.3.2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4:rc1::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc1::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc2a::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0-r1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc2a:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r2:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r4:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r5:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:r3::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:rc1::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_r3:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:r1::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3a:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3aa:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:rc1::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5_rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:rc1::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_cvs:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.8:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.8.4fc6:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.9:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.9a:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.10:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.10a:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.11:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.12:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.13:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:rc1::::::	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15_rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15rc1:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.16:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.17:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4.18:::::::*	1	OR
cpe:2.3:a:squirrelmail:squirrelmail:1.4_rc1:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
MEDIUM

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
6.8

Severity
MEDIUM

Exploitability Score
8.6

Impact Score
6.4

References

Reference URL	Reference Tags
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818	Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818	Patch
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html
http://www.squirrelmail.org/security/issue/2009-08-12	Patch Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
http://www.vupen.com/english/advisories/2009/2262	Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=517312	Patch
http://www.osvdb.org/57001
http://secunia.com/advisories/36363	Vendor Advisory
http://secunia.com/advisories/34627	Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
http://www.securityfocus.com/bid/36196
http://secunia.com/advisories/37415
http://www.vupen.com/english/advisories/2009/3315
http://osvdb.org/60469
https://gna.org/forum/forum.php?forum_id=2146
http://download.gna.org/nasmail/nasmail-1.7.zip
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
http://secunia.com/advisories/40220
http://www.vupen.com/english/advisories/2010/1481
http://support.apple.com/kb/HT4188
http://www.vupen.com/english/advisories/2010/2080
http://www.debian.org/security/2010/dsa-2091
http://secunia.com/advisories/40964
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
http://jvn.jp/en/jp/JVN30881447/index.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2009-2964
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2964

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 08:36:34				Added to TrackCVE