The mail message display page in SquirrelMail up to and including 1.4.22 has XSS via a "<math xlink:href=" attack.
squirrelmail squirrelmail