Show filters
1 Total Results
Displaying 1-1 of 1
Sort by:
Attacker Value
Very Low


Disclosure Date: June 20, 2020 (last updated November 08, 2023)
compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded).