Squirrelmail CVE-2017-7692 Command Injection Vulnerability

by CIRT Team

Description:  SquirrelMail versions 1.4.22 and below are vulnerable to a command-line argument injection exploit that could allow arbitrary code execution if $edit_identity and $useSendmail are enabled and user has knowledge of the location and permissions on the SquirrelMail attachment directory.

Impact: Successful exploit allows an attacker to inject and execute arbitrary commands in context of the affected application. Squirrelmail version 1.4.22 and prior are vulnerable.

Mitigation: Updates are available. Please check specific vendor advisory for more information.

Reference URL’s:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7692
• http://www.squirrelmail.org/security/issue/2017-04-24
• https://sourceforge.net/p/squirrelmail/code/14649/tree//branches/SM-1_4-STABLE/squirrelmail/class/deliver/Deliver_SendMail.class.php?diff=51b7b4d65fcbc96f6b6e3708:14648
• http://www.securityfocus.com/bid/98067/info

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts