Jmp-Esp

**Name of the Vulnerable Software and Affected Versions** G/PGP Plugin versions 2.1 and earlier for Squirrelmail **Description** The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `fpr` parameter to the `deleteKey` function in gpg keyring.php and the `keyserver` parameter to the `gpg recv key` function in gpg key functions.php. This can be exploited through various PHP files, including import key file.php, import key text.php, keyring main.php, and gpg options.php. **Recommendations** For G/PGP Plugin versions 2.1 and earlier, consider disabling the `deleteKey` function and restricting access to the `gpg recv key` function until a patch is available. Avoid using the `fpr` and `keyserver` parameters in the affected API endpoints until the issue is resolved.