CVE-2006-6142

Name of the Vulnerable Software and Affected Versions SquirrelMail versions 1.4.0 through 1.4.9

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via several parameters, including the mailto parameter in "webmail.php", the session and delete draft parameters in "compose.php", and other unspecified vectors related to a shortcoming in the magicHTML filter.

Recommendations For SquirrelMail versions 1.4.0 through 1.4.9, consider disabling the magicHTML filter as a temporary workaround until a patch is available. Restrict access to the "webmail.php" and "compose.php" scripts to minimize the risk of exploitation. Avoid using the mailto, session, and delete draft parameters in the affected scripts until the issue is resolved.