Vulnerability Details : CVE-2011-2023
Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2011-2023
- cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.3a:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.3aa:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_cvs:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.9a:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.10a:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.4pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0pre3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.5pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.5pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.3pre2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.4pre1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r2:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r3:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.0-r1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r4:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r5:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.16:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:r3:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.8.4fc6:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc2a:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.18:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.15rc1:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.17:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.19:*:*:*:*:*:*:*
- cpe:2.3:a:squirrelmail:squirrelmail:1.4.20:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2011-2023
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-2023
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2011-2023
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2011-2023
-
https://bugzilla.redhat.com/show_bug.cgi?id=720695
720695 – (CVE-2011-2023) CVE-2011-2023 SquirrelMail: XSS in <style> tag handlingPatch
-
http://securitytracker.com/id?1025766
SquirrelMail Input Validation Flaw in Style Tag Attributes Permits Cross-Site Scripting Attacks - SecurityTracker
-
http://www.debian.org/security/2011/dsa-2291
Debian -- Security Information -- DSA-2291-1 squirrelmail
-
http://rhn.redhat.com/errata/RHSA-2012-0103.html
RHSA-2012:0103 - Security Advisory - Red Hat Customer Portal
-
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14121
404 Not FoundPatch
-
http://www.squirrelmail.org/security/issue/2011-07-10
SquirrelMail - Webmail for Nuts!Patch;Vendor Advisory
-
http://support.apple.com/kb/HT5130
About the security content of OS X Lion v10.7.3 and Security Update 2012-001 - Apple Support
-
http://www.mandriva.com/security/advisories?name=MDVSA-2011:123
mandriva.com
-
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
Apple - Lists.apple.com
Jump to