CVE-2018-14954 - OpenCVE

The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Squirrelmail	Squirrelmail

Configuration 1 [-]

cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2018/07/26/2	Mailing List Third Party Advisory
https://bugs.debian.org/905023	Issue Tracking Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5FP5O562A4FM5TCFNEW73SS6PZONSAC/
https://sourceforge.net/p/squirrelmail/bugs/2831/	Exploit Issue Tracking Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-08-05T18:00:00

Updated: 2019-08-21T03:06:08

Reserved: 2018-08-05T00:00:00

Link: CVE-2018-14954

JSON object: View

NVD Information

Status : Modified

Published: 2018-08-05T18:29:00.880

Modified: 2023-11-07T02:53:03.820

Link: CVE-2018-14954

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-08-05T00:00:00", "descriptions": [{"lang": "en", "value": "The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-21T03:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://sourceforge.net/p/squirrelmail/bugs/2831/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.openwall.com/lists/oss-security/2018/07/26/2"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/905023"}, {"name": "FEDORA-2019-ad02f64a79", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO/"}, {"name": "FEDORA-2019-1a87523729", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5FP5O562A4FM5TCFNEW73SS6PZONSAC/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-14954", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://sourceforge.net/p/squirrelmail/bugs/2831/", "refsource": "MISC", "url": "https://sourceforge.net/p/squirrelmail/bugs/2831/"}, {"name": "http://www.openwall.com/lists/oss-security/2018/07/26/2", "refsource": "MISC", "url": "http://www.openwall.com/lists/oss-security/2018/07/26/2"}, {"name": "https://bugs.debian.org/905023", "refsource": "MISC", "url": "https://bugs.debian.org/905023"}, {"name": "FEDORA-2019-ad02f64a79", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO/"}, {"name": "FEDORA-2019-1a87523729", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T5FP5O562A4FM5TCFNEW73SS6PZONSAC/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-14954", "datePublished": "2018-08-05T18:00:00", "dateReserved": "2018-08-05T00:00:00", "dateUpdated": "2019-08-21T03:06:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "94F2E2D8-C2AF-4C72-B3F2-43AFC43D0CE5", "versionEndIncluding": "1.4.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The mail message display page in SquirrelMail through 1.4.22 has XSS via the formaction attribute."}, {"lang": "es", "value": "La p\u00e1gina de visualizaci\u00f3n de mensajes de email en SquirrelMail hasta la versi\u00f3n 1.4.22 tiene Cross-Site Scripting (XSS) mediante el atributo formaction."}], "id": "CVE-2018-14954", "lastModified": "2023-11-07T02:53:03.820", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-05T18:29:00.880", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2018/07/26/2"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/905023"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CVXTYMZ35IC5KPNMAE6BWAQWURMX7KZO/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5FP5O562A4FM5TCFNEW73SS6PZONSAC/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://sourceforge.net/p/squirrelmail/bugs/2831/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}