CVE-2009-0030

medium

Description

A certain Red Hat patch for SquirrelMail 1.4.8 sets the same SQMSESSID cookie value for all sessions, which allows remote authenticated users to access other users' folder lists and configuration data in opportunistic circumstances by using the standard webmail.php interface. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3663.

References

https://rhn.redhat.com/errata/RHSA-2009-0057.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10366

https://exchange.xforce.ibmcloud.com/vulnerabilities/48115

https://bugzilla.redhat.com/show_bug.cgi?id=480488

https://bugzilla.redhat.com/show_bug.cgi?id=480224

http://www.securityfocus.com/bid/33354

http://securitytracker.com/id?1021611

http://secunia.com/advisories/33611

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

Details

Source: Mitre, NVD

Published: 2009-01-21

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium