CVE-2025-30090

Summary

mime.php in SquirrelMail through 1.4.23-svn-20250401 and 1.5.x through 1.5.2-svn-20250401 allows XSS via e-mail headers, because JavaScript payloads are mishandled after $encoded has been set to true.

Affected Software

VendorProductVersion RangeStatus
SquirrelMailSquirrelMail0 <= 1.4.23-svn-20250401affected
SquirrelMailSquirrelMail1.5 <= 1.5.2-svn-20250401affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References