CVE-2009-2964

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.19 and earlier, and NaSMail before 1.7, allow remote attackers to hijack the authentication of unspecified victims via features such as send message and change preferences, related to (1) functions/mailbox_display.php, (2) src/addrbook_search_html.php, (3) src/addressbook.php, (4) src/compose.php, (5) src/folders.php, (6) src/folders_create.php, (7) src/folders_delete.php, (8) src/folders_rename_do.php, (9) src/folders_rename_getname.php, (10) src/folders_subscribe.php, (11) src/move_messages.php, (12) src/options.php, (13) src/options_highlight.php, (14) src/options_identities.php, (15) src/options_order.php, (16) src/search.php, and (17) src/vcard.php.

Published: 2009-08-25 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-2964 is rated Moderate Risk (51.1/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.61%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2009-2964

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-12-01 0.86% 0.61% -0.25%
2 2025-10-28 1.03% 0.86% -0.16%
3 2025-10-27 1.03%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-2964

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 6.4 [email protected]

Weakness enumeration for CVE-2009-2964

OS Trackers for CVE-2009-2964

vendor priority summary link
redhat medium https://access.redhat.com/security/cve/CVE-2009-2964
ubuntu medium CVE-2009-2964 medium priority: Ubuntu including 1 source packages (squirrelmail), 6 status rows across 6 suites (dapper, hardy, intrepid, jaunty, karmic, upstream): released 5, ignored 1. https://ubuntu.com/security/CVE-2009-2964

Affected software / configurations for CVE-2009-2964

Vendor Product Version Raw CPE
squirrelmail squirrelmail <= 1.4.19 cpe:2.3:a:squirrelmail:squirrelmail:*:*:*:*:*:*:*:*
squirrelmail squirrelmail 0.1.1 cpe:2.3:a:squirrelmail:squirrelmail:0.1.1:*:*:*:*:*:*:*
squirrelmail squirrelmail 0.1.2 cpe:2.3:a:squirrelmail:squirrelmail:0.1.2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0 cpe:2.3:a:squirrelmail:squirrelmail:1.0:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0.1 cpe:2.3:a:squirrelmail:squirrelmail:1.0.1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0.2 cpe:2.3:a:squirrelmail:squirrelmail:1.0.2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0.3 cpe:2.3:a:squirrelmail:squirrelmail:1.0.3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0.4 cpe:2.3:a:squirrelmail:squirrelmail:1.0.4:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0.5 cpe:2.3:a:squirrelmail:squirrelmail:1.0.5:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0.6 cpe:2.3:a:squirrelmail:squirrelmail:1.0.6:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0pre1 cpe:2.3:a:squirrelmail:squirrelmail:1.0pre1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0pre2 cpe:2.3:a:squirrelmail:squirrelmail:1.0pre2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.0pre3 cpe:2.3:a:squirrelmail:squirrelmail:1.0pre3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.1.0 cpe:2.3:a:squirrelmail:squirrelmail:1.1.0:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.1.1 cpe:2.3:a:squirrelmail:squirrelmail:1.1.1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.1.2 cpe:2.3:a:squirrelmail:squirrelmail:1.1.2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.1.3 cpe:2.3:a:squirrelmail:squirrelmail:1.1.3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2 cpe:2.3:a:squirrelmail:squirrelmail:1.2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.0 cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.0 cpe:2.3:a:squirrelmail:squirrelmail:1.2.0:rc3:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.0_rc3 cpe:2.3:a:squirrelmail:squirrelmail:1.2.0_rc3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.1 cpe:2.3:a:squirrelmail:squirrelmail:1.2.1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.2 cpe:2.3:a:squirrelmail:squirrelmail:1.2.2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.3 cpe:2.3:a:squirrelmail:squirrelmail:1.2.3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.4 cpe:2.3:a:squirrelmail:squirrelmail:1.2.4:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.5 cpe:2.3:a:squirrelmail:squirrelmail:1.2.5:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.6 cpe:2.3:a:squirrelmail:squirrelmail:1.2.6:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.6-rc1 cpe:2.3:a:squirrelmail:squirrelmail:1.2.6-rc1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.7 cpe:2.3:a:squirrelmail:squirrelmail:1.2.7:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.8 cpe:2.3:a:squirrelmail:squirrelmail:1.2.8:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.9 cpe:2.3:a:squirrelmail:squirrelmail:1.2.9:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.10 cpe:2.3:a:squirrelmail:squirrelmail:1.2.10:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.2.11 cpe:2.3:a:squirrelmail:squirrelmail:1.2.11:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.3.0 cpe:2.3:a:squirrelmail:squirrelmail:1.3.0:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.3.1 cpe:2.3:a:squirrelmail:squirrelmail:1.3.1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.3.2 cpe:2.3:a:squirrelmail:squirrelmail:1.3.2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4 cpe:2.3:a:squirrelmail:squirrelmail:1.4:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4 cpe:2.3:a:squirrelmail:squirrelmail:1.4:rc1:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.0 cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.0 cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc1:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.0 cpe:2.3:a:squirrelmail:squirrelmail:1.4.0:rc2a:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.0-r1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.0-r1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.0_rc1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.0_rc2a cpe:2.3:a:squirrelmail:squirrelmail:1.4.0_rc2a:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.2 cpe:2.3:a:squirrelmail:squirrelmail:1.4.2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.2-r1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.2-r2 cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r2:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.2-r3 cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.2-r4 cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r4:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.2-r5 cpe:2.3:a:squirrelmail:squirrelmail:1.4.2-r5:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3 cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3 cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:r3:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3 cpe:2.3:a:squirrelmail:squirrelmail:1.4.3:rc1:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3_r3 cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_r3:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3_rc1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3_rc1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.3_rc1:r1:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3a cpe:2.3:a:squirrelmail:squirrelmail:1.4.3a:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.3aa cpe:2.3:a:squirrelmail:squirrelmail:1.4.3aa:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.4 cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.4 cpe:2.3:a:squirrelmail:squirrelmail:1.4.4:rc1:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.4_rc1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.4_rc1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.5 cpe:2.3:a:squirrelmail:squirrelmail:1.4.5:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.5_rc1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.5_rc1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.6 cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.6 cpe:2.3:a:squirrelmail:squirrelmail:1.4.6:rc1:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.6_cvs cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_cvs:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.6_rc1 cpe:2.3:a:squirrelmail:squirrelmail:1.4.6_rc1:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.7 cpe:2.3:a:squirrelmail:squirrelmail:1.4.7:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.8 cpe:2.3:a:squirrelmail:squirrelmail:1.4.8:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.8.4fc6 cpe:2.3:a:squirrelmail:squirrelmail:1.4.8.4fc6:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.9 cpe:2.3:a:squirrelmail:squirrelmail:1.4.9:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.9a cpe:2.3:a:squirrelmail:squirrelmail:1.4.9a:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.10 cpe:2.3:a:squirrelmail:squirrelmail:1.4.10:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.10a cpe:2.3:a:squirrelmail:squirrelmail:1.4.10a:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.11 cpe:2.3:a:squirrelmail:squirrelmail:1.4.11:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.12 cpe:2.3:a:squirrelmail:squirrelmail:1.4.12:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.13 cpe:2.3:a:squirrelmail:squirrelmail:1.4.13:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.15 cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:*:*:*:*:*:*:*
squirrelmail squirrelmail 1.4.15 cpe:2.3:a:squirrelmail:squirrelmail:1.4.15:rc1:*:*:*:*:*:*

References for CVE-2009-2964

URL Tags
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543818
http://download.gna.org/nasmail/nasmail-1.7.zip
http://jvn.jp/en/jp/JVN30881447/index.html
http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-002207.html
http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.html
http://osvdb.org/60469
http://secunia.com/advisories/34627 Vendor Advisory
http://secunia.com/advisories/36363 Vendor Advisory
http://secunia.com/advisories/37415
http://secunia.com/advisories/40220
http://secunia.com/advisories/40964
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/doc/ChangeLog?revision=13818&view=markup&pathrev=13818 Patch
http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail?view=rev&revision=13818 Patch
http://support.apple.com/kb/HT4188
http://www.debian.org/security/2010/dsa-2091
http://www.mandriva.com/security/advisories?name=MDVSA-2009:222
http://www.osvdb.org/57001
http://www.securityfocus.com/bid/36196
http://www.squirrelmail.org/security/issue/2009-08-12 Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/2262 Patch Vendor Advisory
http://www.vupen.com/english/advisories/2009/3315
http://www.vupen.com/english/advisories/2010/1481
http://www.vupen.com/english/advisories/2010/2080
https://bugzilla.redhat.com/show_bug.cgi?id=517312 Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/52406
https://gna.org/forum/forum.php?forum_id=2146
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10668
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00927.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00954.html
cvelogic Threat Intelligence