Squirrelmail is vulnerable to a remote code execution vulnerability because it fails to sanitize a string before passing it to a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server. References: http://seclists.org/oss-sec/2017/q2/96 http://seclists.org/fulldisclosure/2017/Apr/81 http://seclists.org/oss-sec/2017/q2/114
Created squirrelmail tracking bugs for this issue: Affects: epel-all [bug 1445166] Affects: fedora-all [bug 1445167]
External References: http://www.squirrelmail.org/security/issue/2017-04-24