The mail message display page in SquirrelMail up to and including 1.4.22 has XSS via a "<svg><a xlink:href=" attack.
squirrelmail squirrelmail