ID CVE-2006-2195
Summary Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) templates/problem/problem.inc and (2) test.php.
References
Vulnerable Configurations
  • cpe:2.3:a:horde:horde:3.0
    cpe:2.3:a:horde:horde:3.0
  • cpe:2.3:a:horde:horde:3.0.1
    cpe:2.3:a:horde:horde:3.0.1
  • cpe:2.3:a:horde:horde:3.0.2
    cpe:2.3:a:horde:horde:3.0.2
  • cpe:2.3:a:horde:horde:3.0.3
    cpe:2.3:a:horde:horde:3.0.3
  • cpe:2.3:a:horde:horde:3.0.4
    cpe:2.3:a:horde:horde:3.0.4
  • cpe:2.3:a:horde:horde:3.0.4_rc1
    cpe:2.3:a:horde:horde:3.0.4_rc1
  • cpe:2.3:a:horde:horde:3.0.4_rc2
    cpe:2.3:a:horde:horde:3.0.4_rc2
  • cpe:2.3:a:horde:horde:3.0.6
    cpe:2.3:a:horde:horde:3.0.6
  • cpe:2.3:a:horde:horde:3.0.7
    cpe:2.3:a:horde:horde:3.0.7
  • cpe:2.3:a:horde:horde:3.0.8
    cpe:2.3:a:horde:horde:3.0.8
  • cpe:2.3:a:horde:horde:3.0.9
    cpe:2.3:a:horde:horde:3.0.9
CVSS
Base: 6.8 (as of 15-06-2006 - 09:24)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200606-28.NASL
    description The remote host is affected by the vulnerability described in GLSA-200606-28 (Horde Web Application Framework: XSS vulnerability) Michael Marek discovered that the Horde Web Application Framework performs insufficient input sanitizing. Impact : An attacker could exploit these vulnerabilities to execute arbitrary scripts running in the context of the victim's browser. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 21774
    published 2006-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21774
    title GLSA-200606-28 : Horde Web Application Framework: XSS vulnerability
  • NASL family SuSE Local Security Checks
    NASL id SUSE_HORDE-1600.NASL
    description This update of horde fixes some cross-site-scripting vulnerabilities. (CVE-2005-4190,CVE-2006-2195)
    last seen 2018-09-01
    modified 2018-07-19
    plugin id 27264
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27264
    title openSUSE 10 Security Update : horde (horde-1600)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_09429F7CFD6E11DAB1CD0050BF27BA24.NASL
    description FrSIRT advisory ADV-2006-2356 reports : Multiple vulnerabilities have been identified in Horde Application Framework, which may be exploited by attackers to execute arbitrary scripting code. These flaws are due to input validation errors in the 'test.php' and 'templates/problem/problem.inc' scripts that do not validate the 'url', 'name', 'email', 'subject' and 'message' parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Website.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 21730
    published 2006-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21730
    title FreeBSD : horde -- multiple parameter XSS vulnerabilities (09429f7c-fd6e-11da-b1cd-0050bf27ba24)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1098.NASL
    description Michael Marek discovered that the Horde web application framework performs insufficient input sanitising, which might lead to the injection of web script code through cross-site scripting.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22640
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22640
    title Debian DSA-1098-1 : horde3 - missing input sanitising
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1099.NASL
    description Michael Marek discovered that the Horde web application framework performs insufficient input sanitising, which might lead to the injection of web script code through cross-site scripting.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22641
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22641
    title Debian DSA-1099-1 : horde2 - missing input sanitising
packetstorm via4
data source https://packetstormsecurity.com/files/download/48074/horde3113010.txt
id PACKETSTORM:48074
last seen 2016-12-05
published 2006-07-09
reporter Moritz Naumann
source https://packetstormsecurity.com/files/48074/horde3113010.txt.html
title horde3113010.txt
refmap via4
bid 18436
confirm
debian
  • DSA-1098
  • DSA-1099
gentoo GLSA-200606-28
misc http://overlays.gentoo.org/dev/chtekk/browser/horde/www-apps/horde/files/horde-3.1.1-xss.diff?rev=4&format=txt
osvdb
  • 26513
  • 26514
sectrack 1016310
secunia
  • 20661
  • 20672
  • 20750
  • 20849
  • 20960
suse SUSE-SR:2006:016
vupen ADV-2006-2356
xf horde-test-problem-xss(27168)
Last major update 07-03-2011 - 21:35
Published 15-06-2006 - 06:02
Last modified 19-07-2017 - 21:31
Back to Top