Vulnerability Bulletins |
Cross-Site Request Forgery en SquirrelMail |
|
Vulnerability classification |
|
Property | Value |
Confidence level | Oficial |
Impact | Aumento de privilegios |
Dificulty | Experto |
Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
Property | Value |
Affected manufacturer | GNU/Linux |
Affected software | SquirrelMail 1.4.x < 1.4.20 |
Description |
|
Se han descubierto múltiples Cross-Site Request Forgery en SquirrelMail 1.4. Un atacante remoto podría suplantar la identidad mediante una petición HTTP especialmente diseñada. |
|
Solution |
|
Actualización de software Red Hat (RHSA-2009:1490-1) RHEL Desktop Workstation (v. 5 cliente) Red Hat Desktop (v. 3) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 servidor) Red Hat Enterprise Linux AS (v. 3) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux AS (v. 4.8.z) Red Hat Enterprise Linux ES (v. 3) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux ES (v. 4.8.z) Red Hat Enterprise Linux EUS (v. 5.4.z servidor) Red Hat Enterprise Linux WS (v. 3) Red Hat Enterprise Linux WS (v. 4) https://rhn.redhat.com/ Debian (DSA 2091-1) Debian Linux 5.0 Source http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1.diff.gz http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15.orig.tar.gz http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1.dsc independent packages: http://security.debian.org/pool/updates/main/s/squirrelmail/squirrelmail_1.4.15-4+lenny3.1_all.deb |
|
Standar resources |
|
Property | Value |
CVE | CVE-2009-2964 |
BID | 36196 |
Other resources |
|
Red Hat Security Advisory (RHSA-2009:1490-1) https://rhn.redhat.com/errata/RHSA-2009-1490.html Debian Security Advisory (DSA 2091-1) http://lists.debian.org/debian-security-announce/2010/msg00136.html |
Version history |
||
Version | Comments | Date |
1.0 | Aviso emitido | 2009-10-09 |
1.1 | Aviso emitido por Debian (DSA 2091-1) | 2010-08-27 |