CVE		CVE-2009-1578
Status		Candidate
Description		Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).
Severity		Medium
CVSS score		4,3
CVSS vector		(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Phase		Assigned (21.08.2010)
NVD:		http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1578
References		BID : 34916
		CONFIRM : http://squirrelmail.svn.sourceforge.net/viewvc/squ...
		CONFIRM : http://squirrelmail.svn.sourceforge.net/viewvc/squ...
		CONFIRM : http://squirrelmail.svn.sourceforge.net/viewvc/squ...
		CONFIRM : http://squirrelmail.svn.sourceforge.net/viewvc/squ...
		CONFIRM : http://squirrelmail.svn.sourceforge.net/viewvc/squ...
		CONFIRM : http://www.squirrelmail.org/security/issue/2009-05-08
		CONFIRM : http://www.squirrelmail.org/security/issue/2009-05-09
		CONFIRM : https://bugzilla.redhat.com/show_bug.cgi?id=500363
		FEDORA : FEDORA-2009-4870
		FEDORA : FEDORA-2009-4880
		MANDRIVA : MDVSA-2009:110
		SECUNIA : 35052
		SECUNIA : 35073
		VUPEN : ADV-2009-1296
		XF : squirrelmail-decryptheaders-xss(50460)
		XF : squirrelmail-phpself-xss(50459)
SecurityVulns:		Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)