CVE-2019-12970

Published: 01 July 2019

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.

From the Ubuntu security team

It was discovered a XSS vulnerability in SquirrelMail. An attacker could use malicious script content from HTML e-mail to execute code and/or provoke a denial of service.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
squirrelmail
Launchpad, Ubuntu, Debian
Upstream
Released (2:1.4.23~svn20120406-2+deb8u4)
Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (2:1.4.23~svn20120406-2+deb8u3ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist