FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  371350
Date:      2014-10-22
Time:      08:54:58Z
Committer: matthew

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
d1ce8a4f-c235-11dd-8cbc-00163e000016squirrelmail -- Cross site scripting vulnerability

Squirrelmail team reports:

An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail.


Discovery 2008-12-03
Entry 2008-12-04
squirrelmail
lt 1.4.17

CVE-2008-2379
http://secunia.com/Advisories/32143/
http://sourceforge.net/project/shownotes.php?release_id=644750&group_id=311
d1ce8a4f-c235-11dd-8cbc-00163e000016squirrelmail -- Cross site scripting vulnerability

Squirrelmail team reports:

An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail.


Discovery 2008-12-03
Entry 2008-12-04
squirrelmail
lt 1.4.17

CVE-2008-2379
http://secunia.com/Advisories/32143/
http://sourceforge.net/project/shownotes.php?release_id=644750&group_id=311
0e575ed3-0764-11dc-a80b-0016179b2dd5squirrelmail -- Cross site scripting in HTML filter

The SquirrelMail developers report:

Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.


Discovery 2007-05-09
Entry 2007-05-21
squirrelmail
ge 1.4.0 lt 1.4.9a

CVE-2007-1262
http://www.squirrelmail.org/security/issue/2007-05-09
a0afb4b9-89a1-11dd-a65b-00163e000016squirrelmail -- Session hijacking vulnerability

Hanno Boeck reports:

When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain.

Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.


Discovery 2008-08-12
Entry 2008-09-23
squirrelmail
le 1.4.15_1

31321
CVE-2008-3663
http://seclists.org/bugtraq/2008/Sep/0239.html
0e575ed3-0764-11dc-a80b-0016179b2dd5squirrelmail -- Cross site scripting in HTML filter

The SquirrelMail developers report:

Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.


Discovery 2007-05-09
Entry 2007-05-21
squirrelmail
ge 1.4.0 lt 1.4.9a

CVE-2007-1262
http://www.squirrelmail.org/security/issue/2007-05-09
a0afb4b9-89a1-11dd-a65b-00163e000016squirrelmail -- Session hijacking vulnerability

Hanno Boeck reports:

When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible.

Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain.

Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.


Discovery 2008-08-12
Entry 2008-09-23
squirrelmail
le 1.4.15_1

31321
CVE-2008-3663
http://seclists.org/bugtraq/2008/Sep/0239.html