CVE-2009-2964

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.

References

Link	Tags
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html	vendor advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html	vendor advisory
https://gna.org/forum/forum.php?forum_id=2146
http://www.vupen.com/english/advisories/2010/1481	vdb entry
http://download.gna.org/nasmail/nasmail-1.7.zip
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818	patch
http://jvn.jp/en/jp/JVN30881447/index.html	third party advisory
http://secunia.com/advisories/34627	third party advisory vendor advisory
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
http://www.debian.org/security/2010/dsa-2091	vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=517312	patch
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222	vendor advisory
http://support.apple.com/kb/HT4188
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668	signature vdb entry
http://secunia.com/advisories/40220	third party advisory
http://osvdb.org/60469	vdb entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406	vdb entry
http://secunia.com/advisories/40964	third party advisory
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html	vendor advisory
http://www.vupen.com/english/advisories/2010/2080	vdb entry
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818	patch
http://www.securityfocus.com/bid/36196	vdb entry
http://secunia.com/advisories/37415	third party advisory
http://secunia.com/advisories/36363	third party advisory vendor advisory
http://www.squirrelmail.org/security/issue/2009-08-12	patch vendor advisory
http://www.vupen.com/english/advisories/2009/3315	vdb entry
http://www.osvdb.org/57001	vdb entry
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html	third party advisory
http://www.vupen.com/english/advisories/2009/2262	patch vendor advisory vdb entry

Frequently Asked Questions

What is the severity of CVE-2009-2964?: CVE-2009-2964 has been scored as a medium severity vulnerability.
How to fix CVE-2009-2964?: To fix CVE-2009-2964, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2009-2964 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2009-2964 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-352 – Cross-Site Request Forgery (CSRF)

References

Frequently Asked Questions