CVE-2025-30090 - Vulnerability Details - OpenCVE

mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Squirrelmail	Squirrelmail

No data.

No data.

References

Link	Providers
https://squirrelmail.org
https://squirrelmail.org/security/issue.php?d=2025-04-02

History

Wed, 02 Apr 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description		mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.
Weaknesses		CWE-79
References		https://squirrelmail.org https://squirrelmail.org/security/issue.php?d=2025-04-02
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2025-04-02T00:00:00.000Z

Updated: 2025-04-02T13:27:48.268Z

Reserved: 2025-03-17T00:00:00.000Z

Link: CVE-2025-30090

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-04-02T13:15:44.730

Modified: 2025-04-02T14:58:07.527

Link: CVE-2025-30090

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-30090", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-02T13:27:48.268Z", "dateReserved": "2025-03-17T00:00:00.000Z", "datePublished": "2025-04-02T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SquirrelMail", "vendor": "SquirrelMail", "versions": [{"lessThanOrEqual": "1.4.23-svn-20250401", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThanOrEqual": "1.5.2-svn-20250401", "status": "affected", "version": "1.5", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-04-02T12:57:35.284Z"}, "references": [{"url": "https://squirrelmail.org"}, {"url": "https://squirrelmail.org/security/issue.php?d=2025-04-02"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.4.23-svn-20250401"}, {"vulnerable": true, "criteria": "cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.5", "versionEndIncluding": "1.5.2-svn-20250401"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-02T13:20:37.964142Z", "id": "CVE-2025-30090", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-02T13:27:48.268Z"}}]}, "dataVersion": "5.1"}