Horde Webmail version 5.2.22 suffers from code execution, cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.
f0b687fb3216938177a63fc81ec64bebd639bf70d529cb1674744db3e33e6e03
iDefense Security Advisory 07.11.07 - Remote exploitation of a local file inclusion vulnerability in gpg_help.php in version 2.0 of the SquirrelMail G/PGP Plugin could allow an authenticated webmail user to execute arbitrary PHP code under the security context of the running web server. iDefense has confirmed the existence of this vulnerability in version 2.0 of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that earlier versions of the plug-in are also affected.
aa231abe3475356daf40107f026dcfd4b8a5dfd5f6082511bfec68f93d1a9a79
iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The gpg_recv_key() function is affected. iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.
623fb7212497064369a3382096eb045adef0b7054957761e87ecbb918b982ef4
iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The gpg_check_sign_pgp_mime() function is affected. iDefense has confirmed the existence of this vulnerability in version 2.0 of the G/PGP Encryption Plugin for SquirrelMail. It is suspected that earlier versions of the plug-in are also affected.
97a634db058299435700a7f1c91d89f48dab33b0e02efe0b54a1768f07a22eb2
iDefense Security Advisory 07.11.07 - Remote exploitation of a command injection vulnerability in the G/PGP Encryption Plugin for The SquirrelMail Project Team's SquirrelMail webmail package allows attackers to execute arbitrary commands with the privileges of the underlying web server. The deleteKey() functionality is affected. iDefense has confirmed the existence of this vulnerability in the latest version of the G/PGP Encryption Plugin for SquirrelMail, version 2.1. Furthermore, this vulnerability has been confirmed to exist as early as version 2.0. Other versions may be affected.
43d1374bb1007f95f5034258701359c58204a59a8e93b7fd871ca1983f6a250c
Madirish Webmail version 2.0 suffers from a remote file inclusion vulnerability.
f74181ebd7f79da849299ffbde20518867743f25fec9eea99e1dfd67343011c8
Debian Security Advisory 1290-1 - It was discovered that the webmail package Squirrelmail performs insufficient sanitising inside the HTML filter, which allows the injection of arbitrary web script code during the display of HTML email messages.
be082b77c7a63122764d74206a6f9145da3669a0fa16d4defe10da27fa295b3f
Secunia Security Advisory - Some vulnerabilities have been reported in MailBee WebMail Pro, which can be exploited by malicious people to conduct cross-site scripting attacks.
9d2fba4ff6b421d455310f33dc0e505ca72185e6abc94f82cd86a03c0f3e664a
MailBee WebMail Pro version 3.4 suffers from a cross site scripting vulnerability.
e0bfe7a7fab1b7303ad97ea5d5c2068c3c936e66d19e005b5725f598ba102f80
CmailServer WebMail versions 5.3.4 and below remote cross site scripting exploit.
90aec9df4adaab84df2aa9eb1a8e3087a7a25f22b7653f61b935f301139f2090
Lotus Domino versions R6 and below Webmail remote password hash dumper exploit.
ad22d459010ddc2813609f50832c4ec30e103ff1c2e8748027b6e972b7278f8f
Netragard, L.L.C Advisory - It is possible to take control of an @Mail webmail email account by exploiting a Cross Site Request Forgery (XRSF) vulnerability in the @Mail webmail product. An attacker can send a specially crafted email to any @Mail webmail user with a forged "img" tag. This forged tag, if crafted properly, will inject new settings into the @Mail webmail users account. Version 4.51 is susceptible.
b627e59c9804ad47e3a14c93ce12874b3658b67c476646c57f75d4949ef620ce
Debian Security Advisory 1241-1 - In Squirrelmail, Martijn Brinkers discovered cross site scripting vulnerabilities in the the mailto parameter of webmail.php, the session and delete_draft parameters of compose.php and through a shortcoming in the magicHTML filter. An attacker could abuse these to execute malicious JavaScript in the user's webmail session.
3d4e4f9763c1933aa3c82f443c2430f8e41dbad4eee200ae89497e2ebf6d44bb
Mandriva Linux Security Advisory - Multiple cross site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.9 allow remote attackers to inject arbitrary web script or HTML via the mailto parameter in webmail.php, the session and delete_draft parameters in compose.php, and unspecified vectors involving "a shortcoming in the magicHTML filter."
f780fe058ce85352014c4edd201ec80a122360a88b9dab812c245504a3efbfc4
Improper command and information validation transmitted by Hastymail to the mail servers during the normal use of this application facilitates that an authenticated malicious user could inject arbitrary IMAP/SMTP commands into the mail servers used by Hastymail across parameters used by the webmail front-end in its communication with these mail servers. This vulnerability has been found in development version 1.5 and stable version 1.0.2.
a3e1f1a44710237610d3100801340ec499b4ad76630080fc5ed1b6ef649d4782
Roundcube webmail appears to have a cross site scripting vulnerability.
777fc2da5faaae60f518d3791b40609b950f3c149356b76cdc5a1792d53ed4d9
Symantec Vulnerability Research SYMSA-2006-010: The web server under IronWebMail employs a simple macro language for evaluating pathname references. A loss of confidentiality occurs as a result of faulty pathname evaluation, causing unauthenticated access violation.
70d347b30c2f24ca5298b306b53bddf54e9c34e14f16894f24b825724792f064
Secunia Security Advisory - Kw3rLn has reported a vulnerability in NuralStorm Webmail, which can be exploited by malicious people to compromise a vulnerable system.
774bd99a3b6e7880000ab7fb11c60a589fc96966106d753ae004d79d812a6e90
7 vulnerabilities have been found in Neon WebMail for Java. When exploited, these vulnerabilities allow executing of arbitrary JSP code, escalation of user's privileges, manipulating of user's emails and user account information, disclosure of files on the server, and potentially cause a DoS via large CPU resource utilization by the MySQL server.
1ac3a24def980205e93b5bcbe227fa92f6bb8e0f9c1647d320df1e93dd18e582
Secunia Security Advisory - Tan Chew Keong has reported some vulnerabilities in Neon WebMail for Java, which can be exploited by malicious users to manipulate and disclose sensitive information, and conduct script insertion and SQL injection attacks, and by malicious people to compromise a vulnerable system.
70515919a106ffda21c89d6ab86bc6ed4d614a172ddb7a63568106ebdb47e165
Secunia Security Advisory - A vulnerability has been reported in Open WebMail, which can be exploited by malicious people to conduct cross-site scripting attacks.
c7f94cd74907cef1790a35411c292332779786a0c168ebd272f7349e32bfdcbc
V-Webmail 1.6.4 suffers from a remote file inclusion vulnerability.
2fe933d5ce79a0383b793f795ba79493400b6b896764106686f0ede16723855c
Secunia Security Advisory - beford has discovered a vulnerability in V-webmail, which can be exploited by malicious people to compromise a vulnerable system.
3c9cfbf4abd4b99b87e728e218e119d9e8218a9926b0cbe926f8e24195f6e656
Gentoo Linux Security Advisory GLSA 200603-09 - SquirrelMail does not validate the right_frame parameter in webmail.php, possibly allowing frame replacement or cross-site scripting. Martijn Brinkers and Scott Hughes discovered that MagicHTML fails to handle certain input correctly, potentially leading to cross-site scripting. Vicente Aguilera reported that the sqimap_mailbox_select function did not strip newlines from the mailbox or subject parameter, possibly allowing IMAP command injection. Versions less than 1.4.6 are affected.
effed19ca1e9f98b10b94fcf1e8a084c0d7eba2068bed2c586d1832ff2907aa7
Debian Security Advisory DSA 988-1 - Several vulnerabilities have been discovered in Squirrelmail, a commonly used webmail system.
e5ff871fa8d86d411ef7175c10b9746eedae28f1dd6702cddc0d546beb38c963
Secunia Security Advisory - rgod has reported a vulnerability in iGENUS Webmail, which can be exploited by malicious people to disclose potentially sensitive information.
57fa6ed74582b141751c41bef453067e6524416529c6328c657b4c68664975d6