Bug 720693 (CVE-2010-4554) - CVE-2010-4554 SquirrelMail: Prone to clickjacking attacks
Summary: CVE-2010-4554 SquirrelMail: Prone to clickjacking attacks
Alias: CVE-2010-4554
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 720696 720697 737980 737981 737982 833983
Blocks: 720699 720700
TreeView+ depends on / blocked
Reported: 2011-07-12 14:18 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:45 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-06-20 15:36:21 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:0103 0 normal SHIPPED_LIVE Moderate: squirrelmail security update 2012-02-09 00:45:45 UTC

Description Jan Lieskovsky 2011-07-12 14:18:51 UTC
It was found that SquirrelMail webmail client did not properly handle generation of a particular web page HTML Header in cases, when entire application was loaded in separated HTML frame, potentially overloading other HTML elements on top of SquirrelMail's user interface. A remote attacker could use this flaw to obtain access to sensitive user data (passwords for example).

Upstream advisory:
[1] http://www.squirrelmail.org/security/issue/2011-07-12

Relevant upstream patch:
[2] http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=revision&revision=14117

Comment 1 Jan Lieskovsky 2011-07-12 14:21:20 UTC
This issue affects the versions of the squirrelmail package, as shipped with
Red Hat Enterprise Linux 4 and 5.


This issue affects the version of the squirrelmail package, as present within
EPEL-6 repository. Please schedule an update.


This issue affects the versions of the squirrelmail package, as shipped with Fedora release of 14 and 15. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-07-12 14:24:46 UTC
Created squirrelmail tracking bugs for this issue

Affects: epel-6 [bug 720696]
Affects: fedora-all [bug 720697]

Comment 4 errata-xmlrpc 2012-02-08 19:47:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2012:0103 https://rhn.redhat.com/errata/RHSA-2012-0103.html

Note You need to log in before you can comment on or make changes to this bug.