Version 1.4.9a of SquirrelMail has been released. It fixes several cross-site scripting vulnerabilities that could be exploited to inject code in Web sessions.
The first flaw lies in the webmail.php and compose.php scripts and stems from incorrect filtering of certain parameters before they are sent to the client. The second vulnerability affects the magicHTML filter which filters and cleans up content of HTML messages.
An attacker could inject HTML code or scripts through these vulnerabilities and run it on the user’s mail client.
Versions 1.4.0 to 1.4.9 of SquirrelMail are affected, whereas version 1.4.9a fixes all of these issues. More details in the original advisory, available at http://squirrelmail.org/security/issue/2006-12-02