** DISPUTED ** compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded). .
References
Link | Resource |
---|---|
https://www.openwall.com/lists/oss-security/2020/06/20/1 | Mailing List Third Party Advisory |
Configurations
History
30 Nov 2021, 18:50
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
17 Nov 2021, 22:17
Type | Values Removed | Values Added |
---|---|---|
Summary | ** DISPUTED ** compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded). . |
10 Nov 2021, 01:15
Type | Values Removed | Values Added |
---|---|---|
Summary | compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. |
04 Nov 2021, 02:15
Type | Values Removed | Values Added |
---|---|---|
Summary | ** DISPUTED ** compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded). . |
Information
Published : 2020-06-20 13:15
Updated : 2024-08-04 13:15
NVD link : CVE-2020-14933
Mitre link : CVE-2020-14933
CVE.ORG link : CVE-2020-14933
JSON object : View
Products Affected
squirrelmail
- squirrelmail
CWE
CWE-502
Deserialization of Untrusted Data