FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

SquirrelMail -- post-authentication remote code execution

Affected packages
squirrelmail < 20170705


VuXML ID e1de77e8-c45e-48d7-8866-5a6f943046de
Discovery 2017-04-19
Entry 2017-08-22

SquirrelMail developers report:

SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allows post-authentication remote code execution via a file that is mishandled in a popen call. It's possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.