SquirrelMail < 1.4.4 XSS Vulnerabilities

The target is running at least one instance of SquirrelMail whose version number suggests it is vulnerable to one or more cross-site scripting vulnerabilities : - Insufficient escaping of integer variables in webmail.php allows a remote attacker to include HTML / script into a SquirrelMail webpage (affects 1.4.0-RC1 - 1.4.4-RC1). - Insufficient checking of incoming URL vars in webmail.php allows an attacker to include arbitrary remote web pages in the SquirrelMail frameset (affects 1.4.0-RC1 - 1.4.4-RC1). - A recent change in prefs.php allows an attacker to provide a specially crafted URL that could include local code into the SquirrelMail code if and only if PHP's register_globals setting is enabled (affects 1.4.3-RC1 - 1.4.4-RC1).

Upgrade to SquirrelMail 1.4.4 or later.