Scott Hughes

**Name of the Vulnerable Software and Affected Versions** SquirrelMail versions 1.4.0 through 1.4.5 **Description** The issue is related to an interpretation conflict in the MagicHTML filter, allowing remote attackers to conduct cross-site scripting (XSS) attacks. This can be achieved via style sheet specifiers with invalid comments, such as "/*" and "*/", or a newline in a "url" specifier. Certain web browsers, including Internet Explorer, process these specifiers in a way that enables the attack. **Recommendations** For SquirrelMail versions 1.4.0 through 1.4.5, update to a version that fixes the MagicHTML filter interpretation conflict to prevent cross-site scripting attacks.