Hivemail » Hivemail » 1.2_sp1 : Security Vulnerabilities, CVEs,

cpe:2.3:a:hivemail:hivemail:1.2_sp1:*:*:*:*:*:*:*

CVE-2006-3566

search.results.php in HiveMail 3.1 and earlier allows remote attackers to obtain the installation path via certain manipulations related to the (1) searchdate and (2) folderids parameters.
Max CVSS
5.0
EPSS Score
0.65%
Published
2006-07-13
Updated
2017-07-20

CVE-2006-3565

SQL injection vulnerability in search.results.php in HiveMail 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the fields[] parameter.
Max CVSS
7.5
EPSS Score
0.97%
Published
2006-07-13
Updated
2017-07-20

CVE-2006-0759

Multiple SQL injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts; and allow remote authenticated users to execute arbitrary SQL commands via (11) the folderid parameter in index.php and (12) possibly other parameters in certain other scripts, because $_SERVER['PHP_SELF'] is improperly handled.
Max CVSS
7.5
EPSS Score
0.59%
Published
2006-02-18
Updated
2017-07-20

CVE-2006-0758

Multiple cross-site scripting (XSS) vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to inject arbitrary web script or HTML via a URL encoded expression in the query string in (1) index.php and (2) possibly certain other scripts, which is not properly cleansed when accessed from the $_SERVER['PHP_SELF'] variable.
Max CVSS
4.3
EPSS Score
0.59%
Published
2006-02-18
Updated
2017-07-20

CVE-2006-0757

Multiple eval injection vulnerabilities in HiveMail 1.3 and earlier allow remote attackers to execute arbitrary PHP code via (1) the contactgroupid parameter in addressbook.update.php, (2) the messageid parameter in addressbook.add.php, (3) the folderid parameter in folders.update.php, and possibly certain parameters in (4) calendar.event.php, (5) index.php, (6) pop.download.php, (7) read.bounce.php, (8) rules.block.php, (9) language.php, and (10) certain other scripts, as demonstrated by an addressbook.update.php request with a contactgroupid value of phpinfo() preceded by facilitators.
Max CVSS
7.5
EPSS Score
18.38%
Published
2006-02-18
Updated
2017-07-20
5 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close