SquirrelMail contains a flaw that will allow an attacker to inject arbitrary SQL code. The issue is due to the insufficient sanitizing of data in input sent to the "abook_database.php" script. This will allow an attacker to inject or manipulate SQL queries. By sending a specially-crafted URL containing malicious SQL code, a remote attacker could add, modify or delete user information in the back-end database.
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Upgrade to version 1.4.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.