Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier
Bug #446838 reported by
Leonel Nunez
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squirrelmail (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Dapper |
Won't Fix
|
High
|
Leonel Nunez | ||
Hardy |
Fix Released
|
High
|
Unassigned | ||
Intrepid |
Fix Released
|
High
|
Unassigned | ||
Jaunty |
Fix Released
|
High
|
Unassigned | ||
Karmic |
Fix Released
|
High
|
Unassigned | ||
Lucid |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: squirrelmail
All form submissions (send message, change preferences, etc.) in SquirrelMail were previously subject to cross-site request forgery (CSRF), wherein data could be sent to them from an offsite location, which could allow an attacker to inject malicious content into user preferences or possibly send emails without user consent.
Changed in squirrelmail (Ubuntu): | |
status: | Confirmed → In Progress |
assignee: | Leonel Nunez (leonelnunez) → Marc Deslauriers (mdeslaur) |
Changed in squirrelmail (Ubuntu Lucid): | |
status: | Fix Released → Fix Committed |
status: | Fix Committed → Fix Released |
Changed in squirrelmail (Ubuntu Hardy): | |
status: | In Progress → Fix Committed |
Changed in squirrelmail (Ubuntu Intrepid): | |
status: | In Progress → Fix Committed |
Changed in squirrelmail (Ubuntu Jaunty): | |
status: | In Progress → Fix Committed |
tags: | removed: security-verification |
tags: | added: verification-needed |
tags: | added: patch patch-needswork |
Changed in squirrelmail (Ubuntu Dapper): | |
status: | Incomplete → Won't Fix |
To post a comment you must log in.
Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https:/ /wiki.ubuntu. com/SecurityUpd ateProcedures.