CVE-2020-14933

Name of the Vulnerable Software and Affected Versions SquirrelMail version 1.4.22

Description The issue arises in compose.php, where the $attachments value from an HTTP POST request is passed to unserialize. This could potentially lead to PHP object injection. However, the vendor disputes this, citing that two necessary conditions for such an injection are not met: the existence of a PHP magic method like wakeup or destruct, and the declaration or autoloading of attack-relevant classes before unserialize is called.

Recommendations For SquirrelMail version 1.4.22, consider disabling the unserialize function for the $attachments value in compose.php as a temporary workaround until a patch is available. Restrict access to the compose.php module to minimize the risk of exploitation. Avoid using user-inputted data in the $attachments value until the issue is resolved.