CVE-2019-12970

Published: 01 July 2019

XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.

From the Ubuntu security team

It was discovered a XSS vulnerability in SquirrelMail. An attacker could use malicious script content from HTML e-mail to execute code and/or provoke a denial of service.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
squirrelmail
Launchpad, Ubuntu, Debian
Upstream
Released (2:1.4.23~svn20120406-2+deb8u4)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (2:1.4.23~svn20120406-2+deb8u3ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist