SquirrelMail G/PGP Encryption Plug-in Multiple Remote Command Execution Vulnerabilities
Vulnerabilities in the SquirrelMail G/PGP encryption plugin may allow attackers to execute shell commands and PHP script code. These issues occur because the application fails to sufficiently sanitize user-supplied data.
Commands and scripts would run in the context of the webserver hosting the vulnerable software.
Three separate shell command-injection vulnerabilities and one local file-include vulnerability are present in various versions of the affected plugin. One of these issues has been addressed in G/PGP Encryption 2.1, but the others are still unfixed.
One or more of these issues may already have been documented in the following BIDs, but sufficient information is not currently available to distinguish between them:
- 24782, SquirrelMail G/PGP Encryption Plug-in Unspecified Remote Command Execution Vulnerability
- 24828, SquirrelMail G/PGP Encryption Plug-in Multiple Unspecified Remote Command Execution Vulnerabilities
All affected BIDs will be updated when more information is released.