Open Webmail : Security Vulnerabilities, CVEs, CVSS score >= 6
Cross-site scripting (XSS) vulnerability in ow-shared.pl in OpenWebMail (OWM) 2.51 and earlier allows remote attackers to inject arbitrary web script or HTML via the sessionid parameter in (1) openwebmail-send.pl, (2) openwebmail-advsearch.pl, (3) openwebmail-folder.pl, (4) openwebmail-prefs.pl, (5) openwebmail-abook.pl, (6) openwebmail-read.pl, (7) openwebmail-cal.pl, and (8) openwebmail-webdisk.pl. NOTE: the openwebmail-main.pl vector is already covered by CVE-2005-2863.
Max CVSS
6.8
EPSS Score
5.34%
Published
2006-05-04
Updated
2017-07-20
Open WebMail (OWM) before 2.51 20050430 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.
Max CVSS
7.5
EPSS Score
2.78%
Published
2005-05-03
Updated
2008-09-05
The read_list_from_file function in vacation.pl for OpenWebmail before 2.32 20040629 allows remote attackers to execute arbitrary commands via shell metacharacters in a filename argument.
Max CVSS
10.0
EPSS Score
3.28%
Published
2004-12-31
Updated
2017-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable.
Max CVSS
6.8
EPSS Score
3.29%
Published
2004-08-06
Updated
2017-07-11
Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.
Max CVSS
6.8
EPSS Score
1.84%
Published
2004-08-18
Updated
2017-10-11
openwebmail_init in Open WebMail 1.81 and earlier allows local users to execute arbitrary code via .. (dot dot) sequences in a login name, such as the name provided in the sessionid parameter for openwebmail-abook.pl, which is used to find a configuration file that specifies additional code to be executed.
Max CVSS
7.2
EPSS Score
0.04%
Published
2002-12-26
Updated
2017-10-10
6 vulnerabilities found