Vulnerability Details CVE-2020-14933
compose.php in SquirrelMail 1.4.22 calls unserialize for the $attachments value, which originates from an HTTP POST request. NOTE: the vendor disputes this because these two conditions for PHP object injection are not satisfied: existence of a PHP magic method (such as __wakeup or __destruct), and any attack-relevant classes must be declared before unserialize is called (or must be autoloaded).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 64.2%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.5
References
Products affected by CVE-2020-14933
-
cpe:2.3:a:squirrelmail:squirrelmail:1.4.22