There is a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the decoded strings. This issue should also affect FC2.
Attachment 106907 [details] contains the fix for this issue.
Updates for FC2 and FC3 have been issued.