CVE-2025-30090
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in SquirrelMail allows attackers to inject malicious JavaScript via email headers. When exploited, it can lead to session hijacking, credential theft, or malware delivery to users viewing malicious emails. All users of affected SquirrelMail versions are at risk.
💻 Affected Systems
- SquirrelMail
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, credential theft, malware distribution to all users, and potential lateral movement within the organization.
Likely Case
Session hijacking for individual users, credential theft via phishing, and unauthorized access to email accounts.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers, input validation, and user awareness training.
🎯 Exploit Status
Exploitation requires sending malicious emails to users. Attackers need to craft emails with JavaScript in headers that bypass the $encoded=true condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.4.23-svn-20250401 and 1.5.2-svn-20250401
Vendor Advisory: https://squirrelmail.org/security/issue.php?d=2025-04-02
Restart Required: No
Instructions:
1. Download the latest patched version from squirrelmail.org. 2. Backup your current installation. 3. Replace the vulnerable mime.php file with the patched version. 4. Verify the fix by testing with safe XSS payloads.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict JavaScript execution from untrusted sources
Add to web server config: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For Apache: Header always set Content-Security-Policy "default-src 'self'"
For Nginx: add_header Content-Security-Policy "default-src 'self';";
Input Sanitization Filter
allAdd custom input filtering for email headers before processing
Modify mime.php to add: $header = htmlspecialchars($header, ENT_QUOTES, 'UTF-8'); before processing
Or implement regex filtering: preg_replace('/<script[^>]*?>.*?<\/script>/si', '', $header);
🧯 If You Can't Patch
- Disable JavaScript execution in email viewing by modifying SquirrelMail configuration
- Implement network-level WAF rules to block malicious email headers containing script tags
🔍 How to Verify
Check if Vulnerable:
Check SquirrelMail version and compare with affected versions. Test with safe XSS payload in email headers.Check Version:
grep '\$version' squirrelmail_path/config/config.php | head -1Verify Fix Applied:
Test with the same XSS payload that previously triggered the vulnerability. Verify JavaScript does not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual email header patterns containing script tags
- Multiple failed login attempts from unexpected locations after email views
- JavaScript errors in user browser logs related to email content
Network Indicators:
- Unusual outbound connections from SquirrelMail server after email access
- Spike in traffic to known malicious domains
SIEM Query:
source="squirrelmail" AND (header="<script" OR header="javascript:")