NVD

CVE-2009-2964 Detail

Modified

This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: 6.8 MEDIUM

Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
http://download.gna.org/nasmail/nasmail-1.7.zip
http://download.gna.org/nasmail/nasmail-1.7.zip
http://jvn.jp/en/jp/JVN30881447/index.html
http://jvn.jp/en/jp/JVN30881447/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
http://osvdb.org/60469
http://osvdb.org/60469
http://secunia.com/advisories/34627	Vendor Advisory
http://secunia.com/advisories/34627	Vendor Advisory
http://secunia.com/advisories/36363	Vendor Advisory
http://secunia.com/advisories/36363	Vendor Advisory
http://secunia.com/advisories/37415
http://secunia.com/advisories/37415
http://secunia.com/advisories/40220
http://secunia.com/advisories/40220
http://secunia.com/advisories/40964
http://secunia.com/advisories/40964
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818	Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818	Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818	Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818	Patch
http://support.apple.com/kb/HT4188
http://support.apple.com/kb/HT4188
http://www.debian.org/security/2010/dsa-2091
http://www.debian.org/security/2010/dsa-2091
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
http://www.osvdb.org/57001
http://www.osvdb.org/57001
http://www.securityfocus.com/bid/36196
http://www.securityfocus.com/bid/36196
http://www.squirrelmail.org/security/issue/2009-08-12	Patch Vendor Advisory
http://www.squirrelmail.org/security/issue/2009-08-12	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/2262	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/2262	Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/3315
http://www.vupen.com/english/advisories/2009/3315
http://www.vupen.com/english/advisories/2010/1481
http://www.vupen.com/english/advisories/2010/1481
http://www.vupen.com/english/advisories/2010/2080
http://www.vupen.com/english/advisories/2010/2080
https://bugzilla.redhat.com/show_bug.cgi?id=517312	Patch
https://bugzilla.redhat.com/show_bug.cgi?id=517312	Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
https://gna.org/forum/forum.php?forum_id=2146
https://gna.org/forum/forum.php?forum_id=2146
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-352	Cross-Site Request Forgery (CSRF)	NIST

Known Affected Software Configurations Switch to CPE 2.2

Configuration 1 ( hide )

cpe:2.3:a:squirrelmail:squirrelmail:0.1.1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:0.1.2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0.1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0.2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0.3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0.4:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0.5:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0.6:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0pre1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0pre2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.0pre3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.1.0:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.1.1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.1.2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.1.3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:rc3:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.0_rc3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.4:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.5:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.6-rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.7:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.8:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.9:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.10:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.2.11:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.3.0:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.3.1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.3.2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4:rc1:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc1:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc2a:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0-r1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc2a:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r2:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r4:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r5:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:r3:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:rc1:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_r3:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:r1:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3a:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.3aa:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:rc1:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.5_rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:rc1:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_cvs:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.8:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.8.4fc6:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.9:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.9a:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.10:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.10a:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.11:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.12:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.13:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:rc1:::::: Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15_rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.15rc1:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.16:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.17:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:1.4.18:::::::* Show Matching CPE(s)
cpe:2.3:a:squirrelmail:squirrelmail:::::::: Show Matching CPE(s)	Up to (including) 1.4.19
cpe:2.3:a:squirrelmail:squirrelmail:1.4_rc1:::::::* Show Matching CPE(s)

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

5 change records found show changes

CVE Modified by CVE 11/20/2024 8:06:10 PM

Action	Type	New Value
Added	Reference	http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
Added	Reference	http://download.gna.org/nasmail/nasmail-1.7.zip
Added	Reference	http://jvn.jp/en/jp/JVN30881447/index.html
Added	Reference	http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
Added	Reference	http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
Added	Reference	http://osvdb.org/60469
Added	Reference	http://secunia.com/advisories/34627
Added	Reference	http://secunia.com/advisories/36363
Added	Reference	http://secunia.com/advisories/37415
Added	Reference	http://secunia.com/advisories/40220
Added	Reference	http://secunia.com/advisories/40964
Added	Reference	http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818
Added	Reference	http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818
Added	Reference	http://support.apple.com/kb/HT4188
Added	Reference	http://www.debian.org/security/2010/dsa-2091
Added	Reference	http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
Added	Reference	http://www.osvdb.org/57001
Added	Reference	http://www.securityfocus.com/bid/36196
Added	Reference	http://www.squirrelmail.org/security/issue/2009-08-12
Added	Reference	http://www.vupen.com/english/advisories/2009/2262
Added	Reference	http://www.vupen.com/english/advisories/2009/3315
Added	Reference	http://www.vupen.com/english/advisories/2010/1481
Added	Reference	http://www.vupen.com/english/advisories/2010/2080
Added	Reference	https://bugzilla.redhat.com/show_bug.cgi?id=517312
Added	Reference	https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
Added	Reference	https://gna.org/forum/forum.php?forum_id=2146
Added	Reference	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
Added	Reference	https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
Added	Reference	https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html

Quick Info

CVE Dictionary Entry:
CVE-2009-2964
NVD Published Date:
08/25/2009
NVD Last Modified:
11/20/2024
Source:
MITRE

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2009-2964 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Modified by CVE 11/20/2024 8:06:10 PM

CVE Modified by MITRE 5/13/2024 10:09:28 PM

CVE Modified by MITRE 9/18/2017 9:29:22 PM

CVE Modified by MITRE 8/16/2017 9:30:59 PM

Initial CVE Analysis 8/25/2009 2:19:00 PM

Quick Info