VDB
CVE-2019-12970
CVE-2019-12970
PUBLISHED
XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x through 1.5.2. Due to improper handling of RCDATA and RAWTEXT type elements, the built-in sanitization mechanism can be bypassed. Malicious script content from HTML e-mail can be executed within the application context via crafted use of (for example) a NOEMBED, NOFRAMES, NOSCRIPT, or TEXTAREA element.
EPSS 0.87% · 75.6th percentile
Risk Scores
EPSS Score
0.87%
75.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | squirrelmail | 0, 2:1.4.23~svn20120406-2, 2:1.4.23~svn20120406-2ubuntu1 |
| Ubuntu:Pro:14.04:LTS | squirrelmail | 0, 2:1.4.23~svn20120406-2, * |
Exploit Intelligence
- http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html (nist-nvd)
- https://seclists.org/bugtraq/2019/Jul/0 (nist-nvd)
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt (nist-nvd)
- 20190730 [SYSS-2019-016] SquirrelMail script filter bypass/XSS (update) (circl)
- [debian-lts-announce] 20190801 [SECURITY] [DLA 1868-1] squirrelmail security update (circl)
Timeline
- Jul 1, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-12970 third-party-advisory
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt third-party-advisory
- http://packetstormsecurity.com/files/153495/SquirrelMail-1.4.22-Cross-Site-Scripting.html third-party-advisory
- https://seclists.org/bugtraq/2019/Jul/0 third-party-advisory
- https://ubuntu.com/security/notices/USN-4669-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-12970 third-party-advisory