ID |
CVE-2008-3663
|
Summary |
Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
References |
|
Vulnerable Configurations |
|
CVSS |
Base: | 5.0 (as of 11-10-2018 - 20:49) |
Impact: | |
Exploitability: | |
|
CWE |
CWE-310 |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
LOW |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
PARTIAL |
NONE |
NONE |
|
cvss-vector
via4
|
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
oval
via4
|
accepted | 2013-04-29T04:06:36.641-04:00 | class | vulnerability | contributors | name | Aharon Chernin | organization | SCAP.com, LLC |
name | Dragos Prisaca | organization | G2, Inc. |
| definition_extensions | comment | The operating system installed on the system is Red Hat Enterprise Linux 3 | oval | oval:org.mitre.oval:def:11782 |
comment | CentOS Linux 3.x | oval | oval:org.mitre.oval:def:16651 |
comment | The operating system installed on the system is Red Hat Enterprise Linux 4 | oval | oval:org.mitre.oval:def:11831 |
comment | CentOS Linux 4.x | oval | oval:org.mitre.oval:def:16636 |
comment | Oracle Linux 4.x | oval | oval:org.mitre.oval:def:15990 |
comment | The operating system installed on the system is Red Hat Enterprise Linux 5 | oval | oval:org.mitre.oval:def:11414 |
comment | The operating system installed on the system is CentOS Linux 5.x | oval | oval:org.mitre.oval:def:15802 |
comment | Oracle Linux 5.x | oval | oval:org.mitre.oval:def:15459 |
| description | Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | family | unix | id | oval:org.mitre.oval:def:10548 | status | accepted | submitted | 2010-07-09T03:56:16-04:00 | title | Squirrelmail 1.4.15 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. | version | 30 |
|
redhat
via4
|
advisories | bugzilla | id | 473877 | title | CVE-2008-2379 squirrelmail: XSS issue caused by an insufficient html mail sanitation |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 4 is installed | oval | oval:com.redhat.rhba:tst:20070304025 |
comment | squirrelmail is earlier than 0:1.4.8-5.el4_7.2 | oval | oval:com.redhat.rhsa:tst:20090010001 |
comment | squirrelmail is signed with Red Hat master key | oval | oval:com.redhat.rhsa:tst:20060283002 |
|
AND | comment | Red Hat Enterprise Linux 5 is installed | oval | oval:com.redhat.rhba:tst:20070331005 |
comment | squirrelmail is earlier than 0:1.4.8-5.el5_2.2 | oval | oval:com.redhat.rhsa:tst:20090010004 |
comment | squirrelmail is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhsa:tst:20070358005 |
|
|
| rhsa | id | RHSA-2009:0010 | released | 2009-01-12 | severity | Moderate | title | RHSA-2009:0010: squirrelmail security update (Moderate) |
|
| rpms | - squirrelmail-0:1.4.8-5.el4_7.2
- squirrelmail-0:1.4.8-5.el5_2.2
- squirrelmail-0:1.4.8-8.el3
|
|
refmap
via4
|
apple | APPLE-SA-2009-02-12 | bid | 31321 | bugtraq | 20080922 Squirrelmail: Session hijacking vulnerability, CVE-2008-3663 | confirm | | misc | http://int21.de/cve/CVE-2008-3663-squirrelmail.html | secunia | 33937 | sreason | 4304 | suse | - SUSE-SR:2008:028
- SUSE-SR:2009:004
| xf | squirrelmail-cookie-session-hijacking(45700) |
|
statements
via4
|
contributor | Tomas Hoger | lastmodified | 2009-01-12 | organization | Red Hat | statement | This issue has been fixed in the affected Red Hat Enterprise Linux versions via: https://rhn.redhat.com/errata/RHSA-2009-0010.html |
|
Last major update |
11-10-2018 - 20:49 |
Published |
24-09-2008 - 14:56 |
Last modified |
11-10-2018 - 20:49 |