SquirrelMail Change_passwd Plugin contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system as well as read the contents of /etc/shadow. The issue is due to the program creating temporary files insecurely when updating a user's password. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly write to, or overwrite an attacker specified file.
Local Access Required
Loss of Confidentiality,
Loss of Integrity
Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.