CVE-2009-2964

high

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.

References

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668

https://gna.org/forum/forum.php?forum_id=2146

https://exchange.xforce.ibmcloud.com/vulnerabilities/52406

https://bugzilla.redhat.com/show_bug.cgi?id=517312

http://www.vupen.com/english/advisories/2010/2080

http://www.vupen.com/english/advisories/2010/1481

http://www.vupen.com/english/advisories/2009/3315

http://www.vupen.com/english/advisories/2009/2262

http://www.squirrelmail.org/security/issue/2009-08-12

http://www.securityfocus.com/bid/36196

http://www.osvdb.org/57001

http://www.mandriva.com/security/advisories?name=MDVSA-2009:222

http://www.debian.org/security/2010/dsa-2091

http://support.apple.com/kb/HT4188

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818

http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818

http://secunia.com/advisories/40964

http://secunia.com/advisories/40220

http://secunia.com/advisories/37415

http://secunia.com/advisories/36363

http://secunia.com/advisories/34627

http://osvdb.org/60469

http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html

http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html

http://jvn.jp/en/jp/JVN30881447/index.html

http://download.gna.org/nasmail/nasmail-1.7.zip

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818

Details

Source: Mitre, NVD

Published: 2009-08-25

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High