CVE-2018-8741

Published: 17 March 2018

A directory traversal flaw in SquirrelMail 1.4.22 allows an authenticated attacker to exfiltrate (or potentially delete) files from the hosting server, related to ../ in the att_local_name field in Deliver.class.php.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
squirrelmail
Launchpad, Ubuntu, Debian
Upstream
Released (2:1.4.23~svn20120406-2+deb8u2)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(2:1.4.23~svn20120406-2+deb8u2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)