Vulnerabilites related to horde - groupware
CVE-2015-7984 (GCVE-0-2015-7984)
Vulnerability from cvelistv5
Published
2015-11-19 20:00
Modified
2024-08-06 08:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.horde.org/archives/announce/2015/001124.html | mailing-list, x_refsource_MLIST | |
| http://lists.horde.org/archives/announce/2015/001138.html | mailing-list, x_refsource_MLIST | |
| https://www.exploit-db.com/exploits/38765/ | exploit, x_refsource_EXPLOIT-DB | |
| http://www.debian.org/security/2015/dsa-3391 | vendor-advisory, x_refsource_DEBIAN | |
| http://lists.horde.org/archives/announce/2015/001137.html | mailing-list, x_refsource_MLIST | |
| https://www.htbridge.com/advisory/HTB23272 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:06:31.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce] 20151021 [SECURITY] Horde 5.2.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2015/001124.html"
},
{
"name": "[announce] 20151022 [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2015/001138.html"
},
{
"name": "38765",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38765/"
},
{
"name": "DSA-3391",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3391"
},
{
"name": "[announce] 20151022 [SECURITY] Horde Groupware 5.2.11 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2015/001137.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23272"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-05T22:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[announce] 20151021 [SECURITY] Horde 5.2.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2015/001124.html"
},
{
"name": "[announce] 20151022 [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2015/001138.html"
},
{
"name": "38765",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38765/"
},
{
"name": "DSA-3391",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3391"
},
{
"name": "[announce] 20151022 [SECURITY] Horde Groupware 5.2.11 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2015/001137.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23272"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7984",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce] 20151021 [SECURITY] Horde 5.2.8 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2015/001124.html"
},
{
"name": "[announce] 20151022 [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2015/001138.html"
},
{
"name": "38765",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38765/"
},
{
"name": "DSA-3391",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3391"
},
{
"name": "[announce] 20151022 [SECURITY] Horde Groupware 5.2.11 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2015/001137.html"
},
{
"name": "https://www.htbridge.com/advisory/HTB23272",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23272"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7984",
"datePublished": "2015-11-19T20:00:00",
"dateReserved": "2015-10-26T00:00:00",
"dateUpdated": "2024-08-06T08:06:31.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5566 (GCVE-0-2012-5566)
Vulnerability from cvelistv5
Published
2014-04-05 21:00
Modified
2024-08-06 21:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html | vendor-advisory, x_refsource_SUSE | |
| http://bugs.horde.org/ticket/11189 | x_refsource_CONFIRM | |
| http://www.osvdb.org/82382 | vdb-entry, x_refsource_OSVDB | |
| http://lists.horde.org/archives/announce/2012/000773.html | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2012/11/23/3 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2012/11/23/7 | mailing-list, x_refsource_MLIST | |
| http://www.osvdb.org/82371 | vdb-entry, x_refsource_OSVDB | |
| http://securitytracker.com/id?1027106 | vdb-entry, x_refsource_SECTRACK | |
| https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES | x_refsource_CONFIRM | |
| http://secunia.com/advisories/51469 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/56541 | vdb-entry, x_refsource_BID | |
| http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:15.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2012:1625",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.horde.org/ticket/11189"
},
{
"name": "82382",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/82382"
},
{
"name": "[announce] 20120529 Horde Groupware Webmail Edition 4.0.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2012/000773.html"
},
{
"name": "[oss-security] 20121123 CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"name": "82371",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/82371"
},
{
"name": "1027106",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1027106"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES"
},
{
"name": "51469",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51469"
},
{
"name": "56541",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56541"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-05-29T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-05T19:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "openSUSE-SU-2012:1625",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.horde.org/ticket/11189"
},
{
"name": "82382",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/82382"
},
{
"name": "[announce] 20120529 Horde Groupware Webmail Edition 4.0.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2012/000773.html"
},
{
"name": "[oss-security] 20121123 CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"name": "82371",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/82371"
},
{
"name": "1027106",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1027106"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES"
},
{
"name": "51469",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51469"
},
{
"name": "56541",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56541"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5566",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2012:1625",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"name": "http://bugs.horde.org/ticket/11189",
"refsource": "CONFIRM",
"url": "http://bugs.horde.org/ticket/11189"
},
{
"name": "82382",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/82382"
},
{
"name": "[announce] 20120529 Horde Groupware Webmail Edition 4.0.8 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2012/000773.html"
},
{
"name": "[oss-security] 20121123 CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"name": "82371",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/82371"
},
{
"name": "1027106",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1027106"
},
{
"name": "https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES"
},
{
"name": "51469",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51469"
},
{
"name": "56541",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56541"
},
{
"name": "http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2",
"refsource": "CONFIRM",
"url": "http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5566",
"datePublished": "2014-04-05T21:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:14:15.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6275 (GCVE-0-2013-6275)
Vulnerability from cvelistv5
Published
2019-11-05 18:50
Modified
2024-08-06 17:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2013-6275 | x_refsource_MISC | |
| https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275 | x_refsource_MISC | |
| http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/29274 | x_refsource_MISC | |
| http://www.securityfocus.com/bid/63377 | x_refsource_MISC | |
| http://www.securitytracker.com/id/1029285 | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/88321 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:38:59.388Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6275"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29274"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/63377"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029285"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88321"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T18:50:49",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6275"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.exploit-db.com/exploits/29274"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/63377"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securitytracker.com/id/1029285"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88321"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-6275",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2013-6275",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6275"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275"
},
{
"name": "http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html",
"refsource": "MISC",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html"
},
{
"name": "http://www.exploit-db.com/exploits/29274",
"refsource": "MISC",
"url": "http://www.exploit-db.com/exploits/29274"
},
{
"name": "http://www.securityfocus.com/bid/63377",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/63377"
},
{
"name": "http://www.securitytracker.com/id/1029285",
"refsource": "MISC",
"url": "http://www.securitytracker.com/id/1029285"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88321",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88321"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-6275",
"datePublished": "2019-11-05T18:50:49",
"dateReserved": "2013-10-24T00:00:00",
"dateUpdated": "2024-08-06T17:38:59.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16907 (GCVE-0-2017-16907)
Vulnerability from cvelistv5
Published
2017-11-20 20:00
Modified
2024-08-05 20:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
References
| ▼ | URL | Tags |
|---|---|---|
| http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html | x_refsource_MISC | |
| https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00046.html | mailing-list, x_refsource_MLIST | |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00047.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.388Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2349-1] php-horde security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00046.html"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2348-1] php-horde-core security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00047.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-29T20:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2349-1] php-horde security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00046.html"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2348-1] php-horde-core security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00047.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16907",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html",
"refsource": "MISC",
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"name": "https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230",
"refsource": "CONFIRM",
"url": "https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2349-1] php-horde security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00046.html"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2348-1] php-horde-core security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00047.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16907",
"datePublished": "2017-11-20T20:00:00",
"dateReserved": "2017-11-20T00:00:00",
"dateUpdated": "2024-08-05T20:35:21.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4778 (GCVE-0-2010-4778)
Vulnerability from cvelistv5
Published
2011-04-01 21:00
Modified
2024-09-17 03:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2010/2513 | vdb-entry, x_refsource_VUPEN |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:55:35.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"name": "ADV-2010-2513",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-04-01T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"name": "ADV-2010-2513",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4778",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11",
"refsource": "CONFIRM",
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"name": "ADV-2010-2513",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/2513"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4778",
"datePublished": "2011-04-01T21:00:00Z",
"dateReserved": "2011-04-01T00:00:00Z",
"dateUpdated": "2024-09-17T03:12:55.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-0807 (GCVE-0-2008-0807)
Vulnerability from cvelistv5
Published
2008-02-19 00:00
Modified
2024-08-07 08:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:01:38.898Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "29186",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29186"
},
{
"name": "[announce] 20080215 Horde Groupware Webmail Edition 1.0.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000381.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=432027"
},
{
"name": "FEDORA-2008-2087",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html"
},
{
"name": "27844",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27844"
},
{
"name": "DSA-1507",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1507"
},
{
"name": "28982",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28982"
},
{
"name": "29071",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29071"
},
{
"name": "[announce] 20080215 Turba H3 (2.1.7) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000378.html"
},
{
"name": "ADV-2008-0593",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0593/references"
},
{
"name": "[announce] 20080215 Turba H3 (2.2-RC3)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000379.html"
},
{
"name": "29185",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29185"
},
{
"name": "[announce] 20080215 Horde Groupware 1.0.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000380.html"
},
{
"name": "1019433",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1019433"
},
{
"name": "29184",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29184"
},
{
"name": "FEDORA-2008-2040",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-02-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-03-05T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "29186",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29186"
},
{
"name": "[announce] 20080215 Horde Groupware Webmail Edition 1.0.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000381.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=432027"
},
{
"name": "FEDORA-2008-2087",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html"
},
{
"name": "27844",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27844"
},
{
"name": "DSA-1507",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1507"
},
{
"name": "28982",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28982"
},
{
"name": "29071",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29071"
},
{
"name": "[announce] 20080215 Turba H3 (2.1.7) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000378.html"
},
{
"name": "ADV-2008-0593",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0593/references"
},
{
"name": "[announce] 20080215 Turba H3 (2.2-RC3)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000379.html"
},
{
"name": "29185",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29185"
},
{
"name": "[announce] 20080215 Horde Groupware 1.0.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000380.html"
},
{
"name": "1019433",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1019433"
},
{
"name": "29184",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29184"
},
{
"name": "FEDORA-2008-2040",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "29186",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29186"
},
{
"name": "[announce] 20080215 Horde Groupware Webmail Edition 1.0.5 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000381.html"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=432027",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=432027"
},
{
"name": "FEDORA-2008-2087",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html"
},
{
"name": "27844",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27844"
},
{
"name": "DSA-1507",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1507"
},
{
"name": "28982",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28982"
},
{
"name": "29071",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29071"
},
{
"name": "[announce] 20080215 Turba H3 (2.1.7) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000378.html"
},
{
"name": "ADV-2008-0593",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0593/references"
},
{
"name": "[announce] 20080215 Turba H3 (2.2-RC3)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000379.html"
},
{
"name": "29185",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29185"
},
{
"name": "[announce] 20080215 Horde Groupware 1.0.4 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000380.html"
},
{
"name": "1019433",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1019433"
},
{
"name": "29184",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29184"
},
{
"name": "FEDORA-2008-2040",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html"
},
{
"name": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058",
"refsource": "CONFIRM",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0807",
"datePublished": "2008-02-19T00:00:00",
"dateReserved": "2008-02-18T00:00:00",
"dateUpdated": "2024-08-07T08:01:38.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6365 (GCVE-0-2013-6365)
Vulnerability from cvelistv5
Published
2019-11-05 13:53
Modified
2024-08-06 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2013-6365 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365 | x_refsource_MISC | |
| https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365 | x_refsource_MISC | |
| http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html | x_refsource_MISC | |
| https://www.securityfocus.com/archive/1/529590 | x_refsource_MISC | |
| https://packetstormsecurity.com/files/cve/CVE-2013-6365 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6365"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/archive/1/529590"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/cve/CVE-2013-6365"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T13:53:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6365"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/archive/1/529590"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/cve/CVE-2013-6365"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-6365",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2013-6365",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6365"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365",
"refsource": "MISC",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"name": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html",
"refsource": "MISC",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html"
},
{
"name": "https://www.securityfocus.com/archive/1/529590",
"refsource": "MISC",
"url": "https://www.securityfocus.com/archive/1/529590"
},
{
"name": "https://packetstormsecurity.com/files/cve/CVE-2013-6365",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/cve/CVE-2013-6365"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-6365",
"datePublished": "2019-11-05T13:53:25",
"dateReserved": "2013-11-03T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-1974 (GCVE-0-2008-1974)
Vulnerability from cvelistv5
Published
2008-04-27 19:00
Modified
2024-08-07 08:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:41:00.156Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "51238",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/51238"
},
{
"name": "FEDORA-2008-3460",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00444.html"
},
{
"name": "29920",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29920"
},
{
"name": "28898",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28898"
},
{
"name": "30649",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30649"
},
{
"name": "1019934",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id?1019934"
},
{
"name": "FEDORA-2008-3543",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00427.html"
},
{
"name": "20080422 Horde Webmail XSS [Aria-Security]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/491230/100/0/threaded"
},
{
"name": "horde-webmail-addevent-xss(41974)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41974"
},
{
"name": "ADV-2008-1373",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/1373/references"
},
{
"name": "DSA-1560",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2008/dsa-1560"
},
{
"name": "3831",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3831"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://forum.aria-security.com/showthread.php?t=49"
},
{
"name": "[kronolith] 20080427 Kronolith H3 (2.1.8) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/kronolith/Week-of-Mon-20080421/006807.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "51238",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/51238"
},
{
"name": "FEDORA-2008-3460",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00444.html"
},
{
"name": "29920",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29920"
},
{
"name": "28898",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28898"
},
{
"name": "30649",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30649"
},
{
"name": "1019934",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id?1019934"
},
{
"name": "FEDORA-2008-3543",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00427.html"
},
{
"name": "20080422 Horde Webmail XSS [Aria-Security]",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/491230/100/0/threaded"
},
{
"name": "horde-webmail-addevent-xss(41974)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41974"
},
{
"name": "ADV-2008-1373",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/1373/references"
},
{
"name": "DSA-1560",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2008/dsa-1560"
},
{
"name": "3831",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3831"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://forum.aria-security.com/showthread.php?t=49"
},
{
"name": "[kronolith] 20080427 Kronolith H3 (2.1.8) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/kronolith/Week-of-Mon-20080421/006807.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1974",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "51238",
"refsource": "OSVDB",
"url": "http://osvdb.org/51238"
},
{
"name": "FEDORA-2008-3460",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00444.html"
},
{
"name": "29920",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29920"
},
{
"name": "28898",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28898"
},
{
"name": "30649",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30649"
},
{
"name": "1019934",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id?1019934"
},
{
"name": "FEDORA-2008-3543",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00427.html"
},
{
"name": "20080422 Horde Webmail XSS [Aria-Security]",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/491230/100/0/threaded"
},
{
"name": "horde-webmail-addevent-xss(41974)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41974"
},
{
"name": "ADV-2008-1373",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/1373/references"
},
{
"name": "DSA-1560",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2008/dsa-1560"
},
{
"name": "3831",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3831"
},
{
"name": "http://forum.aria-security.com/showthread.php?t=49",
"refsource": "MISC",
"url": "http://forum.aria-security.com/showthread.php?t=49"
},
{
"name": "[kronolith] 20080427 Kronolith H3 (2.1.8) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/kronolith/Week-of-Mon-20080421/006807.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1974",
"datePublished": "2008-04-27T19:00:00",
"dateReserved": "2008-04-27T00:00:00",
"dateUpdated": "2024-08-07T08:41:00.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8035 (GCVE-0-2020-8035)
Vulnerability from cvelistv5
Published
2020-05-18 14:55
Modified
2024-08-04 09:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.horde.org/archives/announce/2020/001290.html | x_refsource_CONFIRM | |
| https://github.com/horde/base/blob/c00f2fdb222055fb2ccb6d53b5b5240c0a7d2a75/docs/CHANGES | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2020/05/msg00035.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.horde.org/archives/announce/2020/001290.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/base/blob/c00f2fdb222055fb2ccb6d53b5b5240c0a7d2a75/docs/CHANGES"
},
{
"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2230-1] php-horde security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00035.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim\u0027s webmail account by making them visit a malicious URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-31T23:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.horde.org/archives/announce/2020/001290.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/base/blob/c00f2fdb222055fb2ccb6d53b5b5240c0a7d2a75/docs/CHANGES"
},
{
"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2230-1] php-horde security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00035.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8035",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim\u0027s webmail account by making them visit a malicious URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.horde.org/archives/announce/2020/001290.html",
"refsource": "CONFIRM",
"url": "https://lists.horde.org/archives/announce/2020/001290.html"
},
{
"name": "https://github.com/horde/base/blob/c00f2fdb222055fb2ccb6d53b5b5240c0a7d2a75/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/base/blob/c00f2fdb222055fb2ccb6d53b5b5240c0a7d2a75/docs/CHANGES"
},
{
"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2230-1] php-horde security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00035.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8035",
"datePublished": "2020-05-18T14:55:55",
"dateReserved": "2020-01-27T00:00:00",
"dateUpdated": "2024-08-04T09:48:25.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8518 (GCVE-0-2020-8518)
Vulnerability from cvelistv5
Published
2020-02-17 14:53
Modified
2024-08-04 10:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/ | vendor-advisory, x_refsource_FEDORA | |
| https://lists.horde.org/archives/announce/2020/001285.html | x_refsource_CONFIRM | |
| http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.283Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2020-0248ad925e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/"
},
{
"name": "FEDORA-2020-1e7cc91d55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.horde.org/archives/announce/2020/001285.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html"
},
{
"name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2174-1] php-horde-data security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-15T04:06:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "FEDORA-2020-0248ad925e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/"
},
{
"name": "FEDORA-2020-1e7cc91d55",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.horde.org/archives/announce/2020/001285.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html"
},
{
"name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2174-1] php-horde-data security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8518",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2020-0248ad925e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/"
},
{
"name": "FEDORA-2020-1e7cc91d55",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/"
},
{
"name": "https://lists.horde.org/archives/announce/2020/001285.html",
"refsource": "CONFIRM",
"url": "https://lists.horde.org/archives/announce/2020/001285.html"
},
{
"name": "http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html"
},
{
"name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2174-1] php-horde-data security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8518",
"datePublished": "2020-02-17T14:53:34",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-08-04T10:03:46.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3701 (GCVE-0-2009-3701)
Vulnerability from cvelistv5
Published
2009-12-21 16:00
Modified
2024-08-07 06:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:38:30.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "37823",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/37823"
},
{
"name": "[announce] 20091216 Horde Groupware 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"name": "20091217 [ISecAuditors Security Advisories] Horde 3.3.5 \"PHP_SELF\" Cross-Site Scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.html"
},
{
"name": "[announce] 20091215 Horde 3.3.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"name": "ADV-2009-3549",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/3549"
},
{
"name": "20091217 [ISecAuditors Security Advisories] Horde 3.3.5 \"PHP_SELF\" Cross-Site Scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/508531/100/0/threaded"
},
{
"name": "horde-admininterface-xss(54817)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54817"
},
{
"name": "37351",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/37351"
},
{
"name": "[announce] 20091217 Horde Groupware Webmail Edition 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"name": "37709",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/37709"
},
{
"name": "ADV-2009-3572",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/3572"
},
{
"name": "1023365",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1023365"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "37823",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/37823"
},
{
"name": "[announce] 20091216 Horde Groupware 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"name": "20091217 [ISecAuditors Security Advisories] Horde 3.3.5 \"PHP_SELF\" Cross-Site Scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.html"
},
{
"name": "[announce] 20091215 Horde 3.3.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"name": "ADV-2009-3549",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/3549"
},
{
"name": "20091217 [ISecAuditors Security Advisories] Horde 3.3.5 \"PHP_SELF\" Cross-Site Scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/508531/100/0/threaded"
},
{
"name": "horde-admininterface-xss(54817)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54817"
},
{
"name": "37351",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/37351"
},
{
"name": "[announce] 20091217 Horde Groupware Webmail Edition 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"name": "37709",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/37709"
},
{
"name": "ADV-2009-3572",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/3572"
},
{
"name": "1023365",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1023365"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "37823",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/37823"
},
{
"name": "[announce] 20091216 Horde Groupware 1.2.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"name": "20091217 [ISecAuditors Security Advisories] Horde 3.3.5 \"PHP_SELF\" Cross-Site Scripting vulnerability",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.html"
},
{
"name": "[announce] 20091215 Horde 3.3.6 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"name": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h",
"refsource": "CONFIRM",
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"name": "ADV-2009-3549",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/3549"
},
{
"name": "20091217 [ISecAuditors Security Advisories] Horde 3.3.5 \"PHP_SELF\" Cross-Site Scripting vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/508531/100/0/threaded"
},
{
"name": "horde-admininterface-xss(54817)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54817"
},
{
"name": "37351",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/37351"
},
{
"name": "[announce] 20091217 Horde Groupware Webmail Edition 1.2.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"name": "37709",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/37709"
},
{
"name": "ADV-2009-3572",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2009/3572"
},
{
"name": "1023365",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1023365"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3701",
"datePublished": "2009-12-21T16:00:00",
"dateReserved": "2009-10-15T00:00:00",
"dateUpdated": "2024-08-07T06:38:30.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-7219 (GCVE-0-2008-7219)
Vulnerability from cvelistv5
Published
2009-09-13 22:00
Modified
2024-09-17 01:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has unknown impact and attack vectors.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:56:14.482Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce] 20080122 Kronolith H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"name": "[announce] 20080122 Mnemo H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"name": "[announce] 20080109 Nag H3 (2.1.4) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"name": "27217",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27217"
},
{
"name": "[announce] 20080109 Horde Groupware 1.0.3 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"name": "[announce] 20080206 Horde Groupware 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"name": "FEDORA-2008-2212",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"name": "[announce] 20080109 Mnemo H3 (2.1.2) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"name": "28382",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28382"
},
{
"name": "[announce] 20080206 Horde Groupware Webmail Edition 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"name": "[announce] 20080110 Horde Groupware Webmail Edition 1.0.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"name": "[announce] 20080109 Kronolith H3 (2.1.7) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"name": "[announce] 20080122 Nag H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has unknown impact and attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-09-13T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[announce] 20080122 Kronolith H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"name": "[announce] 20080122 Mnemo H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"name": "[announce] 20080109 Nag H3 (2.1.4) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"name": "27217",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27217"
},
{
"name": "[announce] 20080109 Horde Groupware 1.0.3 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"name": "[announce] 20080206 Horde Groupware 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"name": "FEDORA-2008-2212",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"name": "[announce] 20080109 Mnemo H3 (2.1.2) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"name": "28382",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28382"
},
{
"name": "[announce] 20080206 Horde Groupware Webmail Edition 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"name": "[announce] 20080110 Horde Groupware Webmail Edition 1.0.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"name": "[announce] 20080109 Kronolith H3 (2.1.7) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"name": "[announce] 20080122 Nag H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7219",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has unknown impact and attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce] 20080122 Kronolith H3 (2.2-RC2)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"name": "[announce] 20080122 Mnemo H3 (2.2-RC2)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"name": "[announce] 20080109 Nag H3 (2.1.4) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"name": "27217",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27217"
},
{
"name": "[announce] 20080109 Horde Groupware 1.0.3 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"name": "[announce] 20080206 Horde Groupware 1.1-RC2",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"name": "FEDORA-2008-2212",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"name": "[announce] 20080109 Mnemo H3 (2.1.2) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"name": "28382",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28382"
},
{
"name": "[announce] 20080206 Horde Groupware Webmail Edition 1.1-RC2",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"name": "[announce] 20080110 Horde Groupware Webmail Edition 1.0.4 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"name": "[announce] 20080109 Kronolith H3 (2.1.7) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"name": "[announce] 20080122 Nag H3 (2.2-RC2)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-7219",
"datePublished": "2009-09-13T22:00:00Z",
"dateReserved": "2009-09-13T00:00:00Z",
"dateUpdated": "2024-09-17T01:06:15.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-0209 (GCVE-0-2012-0209)
Vulnerability from cvelistv5
Published
2012-09-25 22:00
Modified
2024-09-16 21:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code.
References
| ▼ | URL | Tags |
|---|---|---|
| http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 | x_refsource_CONFIRM | |
| http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/ | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=790877 | x_refsource_MISC | |
| http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html | x_refsource_MISC | |
| http://lists.horde.org/archives/announce/2012/000751.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:16:19.685Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.horde.org/h/jonah/stories/view.php?channel_id=1\u0026id=155"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790877"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html"
},
{
"name": "[horde-announce] 20120213 [SECURITY] Remote execution backdoor after server hack (CVE-2012-0209)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2012/000751.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-25T22:00:00Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.horde.org/h/jonah/stories/view.php?channel_id=1\u0026id=155"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790877"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html"
},
{
"name": "[horde-announce] 20120213 [SECURITY] Remote execution backdoor after server hack (CVE-2012-0209)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2012/000751.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2012-0209",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://dev.horde.org/h/jonah/stories/view.php?channel_id=1\u0026id=155",
"refsource": "CONFIRM",
"url": "http://dev.horde.org/h/jonah/stories/view.php?channel_id=1\u0026id=155"
},
{
"name": "http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/",
"refsource": "MISC",
"url": "http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=790877",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790877"
},
{
"name": "http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html"
},
{
"name": "[horde-announce] 20120213 [SECURITY] Remote execution backdoor after server hack (CVE-2012-0209)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2012/000751.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2012-0209",
"datePublished": "2012-09-25T22:00:00Z",
"dateReserved": "2011-12-14T00:00:00Z",
"dateUpdated": "2024-09-16T21:57:27.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4945 (GCVE-0-2014-4945)
Vulnerability from cvelistv5
Published
2014-07-14 14:00
Modified
2024-09-17 04:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/59772 | third-party-advisory, x_refsource_SECUNIA | |
| http://lists.horde.org/archives/announce/2014/001025.html | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/59770 | third-party-advisory, x_refsource_SECUNIA | |
| https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES | x_refsource_CONFIRM | |
| https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES | x_refsource_CONFIRM | |
| http://lists.horde.org/archives/announce/2014/001019.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:37.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "59772",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59772"
},
{
"name": "[announce] 20140707 [SECURITY] Horde Groupware Webmail Edition 5.1.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"name": "59770",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59770"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"name": "[announce] 20140707 [SECURITY] IMP 6.1.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-07-14T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "59772",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59772"
},
{
"name": "[announce] 20140707 [SECURITY] Horde Groupware Webmail Edition 5.1.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"name": "59770",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59770"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"name": "[announce] 20140707 [SECURITY] IMP 6.1.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4945",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "59772",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59772"
},
{
"name": "[announce] 20140707 [SECURITY] Horde Groupware Webmail Edition 5.1.5 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"name": "59770",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59770"
},
{
"name": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"name": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"name": "[announce] 20140707 [SECURITY] IMP 6.1.8 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4945",
"datePublished": "2014-07-14T14:00:00Z",
"dateReserved": "2014-07-14T00:00:00Z",
"dateUpdated": "2024-09-17T04:14:56.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7414 (GCVE-0-2017-7414)
Vulnerability from cvelistv5
Published
2017-04-04 14:00
Modified
2024-08-05 16:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.218Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"name": "[debian-lts-announce] 20180627 [SECURITY] [DLA 1398-1] php-horde-crypt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user\u0027s preferences, and has enabled the \"Should PGP signed messages be automatically verified when viewed?\" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-28T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"name": "[debian-lts-announce] 20180627 [SECURITY] [DLA 1398-1] php-horde-crypt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7414",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user\u0027s preferences, and has enabled the \"Should PGP signed messages be automatically verified when viewed?\" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html",
"refsource": "CONFIRM",
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"name": "[debian-lts-announce] 20180627 [SECURITY] [DLA 1398-1] php-horde-crypt security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7414",
"datePublished": "2017-04-04T14:00:00",
"dateReserved": "2017-04-03T00:00:00",
"dateUpdated": "2024-08-05T16:04:11.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8034 (GCVE-0-2020-8034)
Vulnerability from cvelistv5
Published
2020-05-18 16:07
Modified
2024-08-04 09:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/horde/gollem/commits/master | x_refsource_MISC | |
| https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html | x_refsource_CONFIRM | |
| https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES | x_refsource_CONFIRM | |
| https://lists.horde.org/archives/announce/2020/001289.html | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:48:25.031Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/horde/gollem/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.horde.org/archives/announce/2020/001289.html"
},
{
"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2229-1] php-horde-gollem security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim\u0027s webmail account by making them visit a malicious URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-31T17:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/horde/gollem/commits/master"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.horde.org/archives/announce/2020/001289.html"
},
{
"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2229-1] php-horde-gollem security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-8034",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim\u0027s webmail account by making them visit a malicious URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/horde/gollem/commits/master",
"refsource": "MISC",
"url": "https://github.com/horde/gollem/commits/master"
},
{
"name": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html",
"refsource": "CONFIRM",
"url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"
},
{
"name": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"
},
{
"name": "https://lists.horde.org/archives/announce/2020/001289.html",
"refsource": "MISC",
"url": "https://lists.horde.org/archives/announce/2020/001289.html"
},
{
"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2229-1] php-horde-gollem security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-8034",
"datePublished": "2020-05-18T16:07:37",
"dateReserved": "2020-01-27T00:00:00",
"dateUpdated": "2024-08-04T09:48:25.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16908 (GCVE-0-2017-16908)
Vulnerability from cvelistv5
Published
2017-11-20 20:00
Modified
2024-08-05 20:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
References
| ▼ | URL | Tags |
|---|---|---|
| http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html | x_refsource_MISC | |
| https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2350-1] php-horde-kronolith security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-29T21:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2350-1] php-horde-kronolith security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16908",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html",
"refsource": "MISC",
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"name": "https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716",
"refsource": "CONFIRM",
"url": "https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2350-1] php-horde-kronolith security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16908",
"datePublished": "2017-11-20T20:00:00",
"dateReserved": "2017-11-20T00:00:00",
"dateUpdated": "2024-08-05T20:35:21.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-0579 (GCVE-0-2007-0579)
Vulnerability from cvelistv5
Published
2007-01-30 17:00
Modified
2024-08-07 12:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.horde.org/archives/announce/2007/000309.html | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/22273 | vdb-entry, x_refsource_BID | |
| http://www.vupen.com/english/advisories/2007/0368 | vdb-entry, x_refsource_VUPEN | |
| http://osvdb.org/33083 | vdb-entry, x_refsource_OSVDB | |
| http://lists.horde.org/archives/announce/2007/000308.html | mailing-list, x_refsource_MLIST | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/31849 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T12:26:53.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[horde-announce] 20070114 Horde Groupware Webmail Edition 1.0 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2007/000309.html"
},
{
"name": "22273",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/22273"
},
{
"name": "ADV-2007-0368",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/0368"
},
{
"name": "33083",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/33083"
},
{
"name": "[horde-announce] 20070114 Horde Groupware 1.0 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2007/000308.html"
},
{
"name": "horde-calendar-file-include(31849)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31849"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[horde-announce] 20070114 Horde Groupware Webmail Edition 1.0 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2007/000309.html"
},
{
"name": "22273",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/22273"
},
{
"name": "ADV-2007-0368",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/0368"
},
{
"name": "33083",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/33083"
},
{
"name": "[horde-announce] 20070114 Horde Groupware 1.0 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2007/000308.html"
},
{
"name": "horde-calendar-file-include(31849)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31849"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-0579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[horde-announce] 20070114 Horde Groupware Webmail Edition 1.0 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2007/000309.html"
},
{
"name": "22273",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/22273"
},
{
"name": "ADV-2007-0368",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/0368"
},
{
"name": "33083",
"refsource": "OSVDB",
"url": "http://osvdb.org/33083"
},
{
"name": "[horde-announce] 20070114 Horde Groupware 1.0 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2007/000308.html"
},
{
"name": "horde-calendar-file-include(31849)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31849"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-0579",
"datePublished": "2007-01-30T17:00:00",
"dateReserved": "2007-01-30T00:00:00",
"dateUpdated": "2024-08-07T12:26:53.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26929 (GCVE-0-2021-26929)
Vulnerability from cvelistv5
Published
2021-02-14 03:43
Modified
2024-08-03 20:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/horde/webmail/releases | x_refsource_MISC | |
| https://www.horde.org/apps/webmail | x_refsource_MISC | |
| https://www.alexbirnberg.com/horde-xss.html | x_refsource_MISC | |
| https://lists.horde.org/archives/announce/2021/001298.html | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html | mailing-list, x_refsource_MLIST | |
| http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html | x_refsource_MISC | |
| http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/horde/webmail/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.horde.org/apps/webmail"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.alexbirnberg.com/horde-xss.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.horde.org/archives/announce/2021/001298.html"
},
{
"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2564-1] php-horde-text-filter security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \\x00\\x00\\x00 and \\x01\\x01\\x01 interferes with XSS defenses."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-15T15:06:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/horde/webmail/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.horde.org/apps/webmail"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.alexbirnberg.com/horde-xss.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.horde.org/archives/announce/2021/001298.html"
},
{
"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2564-1] php-horde-text-filter security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-26929",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \\x00\\x00\\x00 and \\x01\\x01\\x01 interferes with XSS defenses."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/horde/webmail/releases",
"refsource": "MISC",
"url": "https://github.com/horde/webmail/releases"
},
{
"name": "https://www.horde.org/apps/webmail",
"refsource": "MISC",
"url": "https://www.horde.org/apps/webmail"
},
{
"name": "https://www.alexbirnberg.com/horde-xss.html",
"refsource": "MISC",
"url": "https://www.alexbirnberg.com/horde-xss.html"
},
{
"name": "https://lists.horde.org/archives/announce/2021/001298.html",
"refsource": "CONFIRM",
"url": "https://lists.horde.org/archives/announce/2021/001298.html"
},
{
"name": "[debian-lts-announce] 20210219 [SECURITY] [DLA 2564-1] php-horde-text-filter security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html"
},
{
"name": "http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-26929",
"datePublished": "2021-02-14T03:43:49",
"dateReserved": "2021-02-09T00:00:00",
"dateUpdated": "2024-08-03T20:33:41.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-30287 (GCVE-0-2022-30287)
Vulnerability from cvelistv5
Published
2022-07-28 21:08
Modified
2024-10-19 13:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.horde.org/apps/webmail | x_refsource_MISC | |
| https://blog.sonarsource.com/horde-webmail-rce-via-email/ | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-10-19T13:05:46.048Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.horde.org/apps/webmail"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/horde-webmail-rce-via-email/"
},
{
"name": "[debian-lts-announce] 20220831 [SECURITY] [DLA 3090-1] php-horde-turba security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-31T10:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.horde.org/apps/webmail"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/horde-webmail-rce-via-email/"
},
{
"name": "[debian-lts-announce] 20220831 [SECURITY] [DLA 3090-1] php-horde-turba security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-30287",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.horde.org/apps/webmail",
"refsource": "MISC",
"url": "https://www.horde.org/apps/webmail"
},
{
"name": "https://blog.sonarsource.com/horde-webmail-rce-via-email/",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/horde-webmail-rce-via-email/"
},
{
"name": "[debian-lts-announce] 20220831 [SECURITY] [DLA 3090-1] php-horde-turba security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-30287",
"datePublished": "2022-07-28T21:08:21",
"dateReserved": "2022-05-04T00:00:00",
"dateUpdated": "2024-10-19T13:05:46.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-2783 (GCVE-0-2008-2783)
Vulnerability from cvelistv5
Published
2008-06-19 20:00
Modified
2024-08-07 09:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/29365 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/42640 | vdb-entry, x_refsource_XF |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:14:14.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "29365",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/29365"
},
{
"name": "kronolith-groupware-multiple-xss(42640)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42640"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-05-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "29365",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/29365"
},
{
"name": "kronolith-groupware-multiple-xss(42640)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42640"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-2783",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "29365",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/29365"
},
{
"name": "kronolith-groupware-multiple-xss(42640)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42640"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-2783",
"datePublished": "2008-06-19T20:00:00",
"dateReserved": "2008-06-19T00:00:00",
"dateUpdated": "2024-08-07T09:14:14.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3236 (GCVE-0-2009-3236)
Vulnerability from cvelistv5
Published
2009-09-17 10:00
Modified
2024-08-07 06:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files and execute PHP code via crafted Horde_Form_Type_image form field elements.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.osvdb.org/58107 | vdb-entry, x_refsource_OSVDB | |
| http://secunia.com/advisories/36882 | third-party-advisory, x_refsource_SECUNIA | |
| http://marc.info/?l=horde-announce&m=125294558611682&w=2 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/36665 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.debian.org/security/2009/dsa-1897 | vendor-advisory, x_refsource_DEBIAN | |
| http://marc.info/?l=horde-announce&m=125292314007049&w=2 | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=horde-announce&m=125295852706029&w=2 | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=horde-announce&m=125291625030436&w=2 | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=horde-announce&m=125292339907481&w=2 | mailing-list, x_refsource_MLIST | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/53202 | vdb-entry, x_refsource_XF | |
| http://marc.info/?l=horde-announce&m=125292088004087&w=2 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:23.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "58107",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/58107"
},
{
"name": "36882",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36882"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"name": "36665",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36665"
},
{
"name": "DSA-1897",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2009/dsa-1897"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.3.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"name": "horde-application-form-file-overwrite(53202)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files and execute PHP code via crafted Horde_Form_Type_image form field elements."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "58107",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/58107"
},
{
"name": "36882",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36882"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"name": "36665",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36665"
},
{
"name": "DSA-1897",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2009/dsa-1897"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.3.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"name": "horde-application-form-file-overwrite(53202)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3236",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files and execute PHP code via crafted Horde_Form_Type_image form field elements."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "58107",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/58107"
},
{
"name": "36882",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36882"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.2.4 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"name": "36665",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36665"
},
{
"name": "DSA-1897",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2009/dsa-1897"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.1.6 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.2.4 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.2.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.3.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"name": "horde-application-form-file-overwrite(53202)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.1.6 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3236",
"datePublished": "2009-09-17T10:00:00",
"dateReserved": "2009-09-16T00:00:00",
"dateUpdated": "2024-08-07T06:22:23.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8865 (GCVE-0-2020-8865)
Vulnerability from cvelistv5
Published
2020-03-23 20:15
Modified
2024-08-04 10:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-23 - Relative Path Traversal
Summary
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-20-276/ | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Horde | Groupware Webmail Edition |
Version: 5.2.22 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-276/"
},
{
"name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2175-1] php-horde-trean security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Groupware Webmail Edition",
"vendor": "Horde",
"versions": [
{
"status": "affected",
"version": "5.2.22"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andrea Cardaci"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-15T04:06:00",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-276/"
},
{
"name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2175-1] php-horde-trean security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "zdi-disclosures@trendmicro.com",
"ID": "CVE-2020-8865",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Groupware Webmail Edition",
"version": {
"version_data": [
{
"version_value": "5.2.22"
}
]
}
}
]
},
"vendor_name": "Horde"
}
]
}
},
"credit": "Andrea Cardaci",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469."
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23: Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-276/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-276/"
},
{
"name": "[debian-lts-announce] 20200415 [SECURITY] [DLA 2175-1] php-horde-trean security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2020-8865",
"datePublished": "2020-03-23T20:15:17",
"dateReserved": "2020-02-11T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12095 (GCVE-0-2019-12095)
Vulnerability from cvelistv5
Published
2019-10-24 17:09
Modified
2024-08-04 23:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://numanozdemir.com/respdisc/horde/horde.mp4 | x_refsource_MISC | |
| https://numanozdemir.com/respdisc/horde/horde.txt | x_refsource_MISC | |
| https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46903 | x_refsource_MISC | |
| https://cxsecurity.com/issue/WLB-2019050199 | x_refsource_MISC | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/161333 | x_refsource_MISC | |
| https://bugs.horde.org/ticket/14926 | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161333"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.horde.org/ticket/14926"
},
{
"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2033-1] php-horde security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-14T06:06:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161333"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.horde.org/ticket/14926"
},
{
"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2033-1] php-horde security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12095",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://numanozdemir.com/respdisc/horde/horde.mp4",
"refsource": "MISC",
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"name": "https://numanozdemir.com/respdisc/horde/horde.txt",
"refsource": "MISC",
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"name": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"name": "https://www.exploit-db.com/exploits/46903",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"name": "https://cxsecurity.com/issue/WLB-2019050199",
"refsource": "MISC",
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161333",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161333"
},
{
"name": "https://bugs.horde.org/ticket/14926",
"refsource": "MISC",
"url": "https://bugs.horde.org/ticket/14926"
},
{
"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2033-1] php-horde security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12095",
"datePublished": "2019-10-24T17:09:59",
"dateReserved": "2019-05-14T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-2228 (GCVE-0-2016-2228)
Vulnerability from cvelistv5
Published
2016-04-13 16:00
Modified
2024-08-05 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/02/06/4 | mailing-list, x_refsource_MLIST | |
| http://bugs.horde.org/ticket/14213 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2016/02/06/5 | mailing-list, x_refsource_MLIST | |
| http://www.debian.org/security/2016/dsa-3497 | vendor-advisory, x_refsource_DEBIAN | |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.horde.org/archives/announce/2016/001149.html | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.horde.org/archives/announce/2016/001148.html | mailing-list, x_refsource_MLIST | |
| https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES | x_refsource_CONFIRM | |
| https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:24:48.639Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160206 CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.horde.org/ticket/14213"
},
{
"name": "[oss-security] 20160206 Re: CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"name": "DSA-3497",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3497"
},
{
"name": "FEDORA-2016-3d1183830b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware Webmail Edition 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"name": "FEDORA-2016-5d0e7f15ef",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-04-13T15:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "[oss-security] 20160206 CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.horde.org/ticket/14213"
},
{
"name": "[oss-security] 20160206 Re: CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"name": "DSA-3497",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3497"
},
{
"name": "FEDORA-2016-3d1183830b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware Webmail Edition 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"name": "FEDORA-2016-5d0e7f15ef",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-2228",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160206 CVE Request: Horde: Two cross-site scripting vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"name": "http://bugs.horde.org/ticket/14213",
"refsource": "CONFIRM",
"url": "http://bugs.horde.org/ticket/14213"
},
{
"name": "[oss-security] 20160206 Re: CVE Request: Horde: Two cross-site scripting vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"name": "DSA-3497",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3497"
},
{
"name": "FEDORA-2016-3d1183830b",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware Webmail Edition 5.2.12 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"name": "FEDORA-2016-5d0e7f15ef",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware 5.2.12 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"name": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
},
{
"name": "https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-2228",
"datePublished": "2016-04-13T16:00:00",
"dateReserved": "2016-02-06T00:00:00",
"dateUpdated": "2024-08-05T23:24:48.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3693 (GCVE-0-2010-3693)
Vulnerability from cvelistv5
Published
2011-04-01 21:00
Modified
2024-08-07 03:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:18:52.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce] 20100928 Horde Groupware Webmail Edition 1.2.7 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"name": "[oss-security] 20101001 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.horde.org/ticket/9240"
},
{
"name": "ADV-2010-2522",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2522"
},
{
"name": "dynamicimp-mailbox-xss(62080)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62080"
},
{
"name": "68267",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/68267"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git\u0026r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb\u0026r2=48913cf3af81875d6e5c6f32e030c5913f22f25d"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"name": "[announce] 20100928 DIMP H3 (1.1.5) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2010/000561.html"
},
{
"name": "41639",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41639"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde\u0026r1=1.69.2.82\u0026r2=1.69.2.87\u0026ty=h"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-09-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[announce] 20100928 Horde Groupware Webmail Edition 1.2.7 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"name": "[oss-security] 20101001 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.horde.org/ticket/9240"
},
{
"name": "ADV-2010-2522",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2522"
},
{
"name": "dynamicimp-mailbox-xss(62080)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62080"
},
{
"name": "68267",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/68267"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git\u0026r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb\u0026r2=48913cf3af81875d6e5c6f32e030c5913f22f25d"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"name": "[announce] 20100928 DIMP H3 (1.1.5) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2010/000561.html"
},
{
"name": "41639",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41639"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde\u0026r1=1.69.2.82\u0026r2=1.69.2.87\u0026ty=h"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-3693",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce] 20100928 Horde Groupware Webmail Edition 1.2.7 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"name": "[oss-security] 20101001 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"name": "http://bugs.horde.org/ticket/9240",
"refsource": "CONFIRM",
"url": "http://bugs.horde.org/ticket/9240"
},
{
"name": "ADV-2010-2522",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2010/2522"
},
{
"name": "dynamicimp-mailbox-xss(62080)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62080"
},
{
"name": "68267",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/68267"
},
{
"name": "http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git\u0026r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb\u0026r2=48913cf3af81875d6e5c6f32e030c5913f22f25d",
"refsource": "CONFIRM",
"url": "http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git\u0026r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb\u0026r2=48913cf3af81875d6e5c6f32e030c5913f22f25d"
},
{
"name": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h",
"refsource": "CONFIRM",
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"name": "[announce] 20100928 DIMP H3 (1.1.5) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2010/000561.html"
},
{
"name": "41639",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/41639"
},
{
"name": "http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde\u0026r1=1.69.2.82\u0026r2=1.69.2.87\u0026ty=h",
"refsource": "CONFIRM",
"url": "http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde\u0026r1=1.69.2.82\u0026r2=1.69.2.87\u0026ty=h"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3693",
"datePublished": "2011-04-01T21:00:00",
"dateReserved": "2010-10-01T00:00:00",
"dateUpdated": "2024-08-07T03:18:52.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-1284 (GCVE-0-2008-1284)
Vulnerability from cvelistv5
Published
2008-03-11 00:00
Modified
2024-08-07 08:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:17:34.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "3726",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3726"
},
{
"name": "29286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29286"
},
{
"name": "horde-theme-file-include(41054)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41054"
},
{
"name": "[announce] 20080307 Horde Groupware 1.0.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000383.html"
},
{
"name": "[announce] 20080307 Horde Groupware Webmail Edition 1.0.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000384.html"
},
{
"name": "FEDORA-2008-2406",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00301.html"
},
{
"name": "20080307 Horde Webmail file inclusion proof of concept \u0026 patch.",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/489239/100/0/threaded"
},
{
"name": "GLSA-200805-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-200805-01.xml"
},
{
"name": "DSA-1519",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2008/dsa-1519"
},
{
"name": "30047",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/30047"
},
{
"name": "FEDORA-2008-2362",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00253.html"
},
{
"name": "29374",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29374"
},
{
"name": "20080308 Re: Horde Webmail file inclusion proof of concept \u0026 patch.",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/489289/100/0/threaded"
},
{
"name": "[announce] 20080307 Horde 3.1.7 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000382.html"
},
{
"name": "ADV-2008-0822",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0822/references"
},
{
"name": "28153",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/28153"
},
{
"name": "29400",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29400"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via \"..\" sequences and a null byte in the theme name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "3726",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3726"
},
{
"name": "29286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29286"
},
{
"name": "horde-theme-file-include(41054)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41054"
},
{
"name": "[announce] 20080307 Horde Groupware 1.0.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000383.html"
},
{
"name": "[announce] 20080307 Horde Groupware Webmail Edition 1.0.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000384.html"
},
{
"name": "FEDORA-2008-2406",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00301.html"
},
{
"name": "20080307 Horde Webmail file inclusion proof of concept \u0026 patch.",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/489239/100/0/threaded"
},
{
"name": "GLSA-200805-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-200805-01.xml"
},
{
"name": "DSA-1519",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2008/dsa-1519"
},
{
"name": "30047",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/30047"
},
{
"name": "FEDORA-2008-2362",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00253.html"
},
{
"name": "29374",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29374"
},
{
"name": "20080308 Re: Horde Webmail file inclusion proof of concept \u0026 patch.",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/489289/100/0/threaded"
},
{
"name": "[announce] 20080307 Horde 3.1.7 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000382.html"
},
{
"name": "ADV-2008-0822",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0822/references"
},
{
"name": "28153",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/28153"
},
{
"name": "29400",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29400"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-1284",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via \"..\" sequences and a null byte in the theme name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "3726",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3726"
},
{
"name": "29286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29286"
},
{
"name": "horde-theme-file-include(41054)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41054"
},
{
"name": "[announce] 20080307 Horde Groupware 1.0.5 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000383.html"
},
{
"name": "[announce] 20080307 Horde Groupware Webmail Edition 1.0.6 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000384.html"
},
{
"name": "FEDORA-2008-2406",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00301.html"
},
{
"name": "20080307 Horde Webmail file inclusion proof of concept \u0026 patch.",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/489239/100/0/threaded"
},
{
"name": "GLSA-200805-01",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-200805-01.xml"
},
{
"name": "DSA-1519",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2008/dsa-1519"
},
{
"name": "30047",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/30047"
},
{
"name": "FEDORA-2008-2362",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00253.html"
},
{
"name": "29374",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29374"
},
{
"name": "20080308 Re: Horde Webmail file inclusion proof of concept \u0026 patch.",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/489289/100/0/threaded"
},
{
"name": "[announce] 20080307 Horde 3.1.7 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000382.html"
},
{
"name": "ADV-2008-0822",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0822/references"
},
{
"name": "28153",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/28153"
},
{
"name": "29400",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29400"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-1284",
"datePublished": "2008-03-11T00:00:00",
"dateReserved": "2008-03-10T00:00:00",
"dateUpdated": "2024-08-07T08:17:34.567Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5565 (GCVE-0-2012-5565)
Vulnerability from cvelistv5
Published
2014-04-05 21:00
Modified
2024-08-06 21:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file, related to the dynamic view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2012-12/msg00020.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.horde.org/archives/announce/2012/000833.html | mailing-list, x_refsource_MLIST | |
| https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2012/11/23/6 | mailing-list, x_refsource_MLIST | |
| http://lists.horde.org/archives/announce/2012/000840.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:15.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2012:1626",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00020.html"
},
{
"name": "[announce] 20121114 IMP H4 (5.0.24) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2012/000833.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/6"
},
{
"name": "[announce] 20121114 Horde Groupware Webmail Edition 4.0.9 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-11-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file, related to the dynamic view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-05T19:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "openSUSE-SU-2012:1626",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00020.html"
},
{
"name": "[announce] 20121114 IMP H4 (5.0.24) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2012/000833.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/6"
},
{
"name": "[announce] 20121114 Horde Groupware Webmail Edition 4.0.9 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5565",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file, related to the dynamic view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2012:1626",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00020.html"
},
{
"name": "[announce] 20121114 IMP H4 (5.0.24) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2012/000833.html"
},
{
"name": "https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments.",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/6"
},
{
"name": "[announce] 20121114 Horde Groupware Webmail Edition 4.0.9 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5565",
"datePublished": "2014-04-05T21:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:14:15.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6364 (GCVE-0-2013-6364)
Vulnerability from cvelistv5
Published
2019-11-05 13:43
Modified
2024-08-06 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
References
| ▼ | URL | Tags |
|---|---|---|
| https://security-tracker.debian.org/tracker/CVE-2013-6364 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364 | x_refsource_MISC | |
| https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364 | x_refsource_MISC | |
| http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html | x_refsource_MISC | |
| http://www.exploit-db.com/exploits/29519 | x_refsource_MISC | |
| https://www.securityfocus.com/archive/1/529589 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:00.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6364"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/29519"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/archive/1/529589"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-05T13:43:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6364"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.exploit-db.com/exploits/29519"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/archive/1/529589"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-6364",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2013-6364",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6364"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364",
"refsource": "MISC",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"name": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html",
"refsource": "MISC",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html"
},
{
"name": "http://www.exploit-db.com/exploits/29519",
"refsource": "MISC",
"url": "http://www.exploit-db.com/exploits/29519"
},
{
"name": "https://www.securityfocus.com/archive/1/529589",
"refsource": "MISC",
"url": "https://www.securityfocus.com/archive/1/529589"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-6364",
"datePublished": "2019-11-05T13:43:51",
"dateReserved": "2013-11-03T00:00:00",
"dateUpdated": "2024-08-06T17:39:00.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12094 (GCVE-0-2019-12094)
Vulnerability from cvelistv5
Published
2019-10-24 16:49
Modified
2024-08-04 23:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.
References
| ▼ | URL | Tags |
|---|---|---|
| https://numanozdemir.com/respdisc/horde/horde.mp4 | x_refsource_MISC | |
| https://numanozdemir.com/respdisc/horde/horde.txt | x_refsource_MISC | |
| https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html | x_refsource_MISC | |
| https://www.exploit-db.com/exploits/46903 | x_refsource_MISC | |
| https://cxsecurity.com/issue/WLB-2019050199 | x_refsource_MISC | |
| https://bugs.horde.org/ticket/14926 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.horde.org/ticket/14926"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f\u0026user_name= or admin/user.php?form=remove_f\u0026user_name= or admin/config/diff.php?app= URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-03T16:39:06",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.horde.org/ticket/14926"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12094",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f\u0026user_name= or admin/user.php?form=remove_f\u0026user_name= or admin/config/diff.php?app= URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://numanozdemir.com/respdisc/horde/horde.mp4",
"refsource": "MISC",
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"name": "https://numanozdemir.com/respdisc/horde/horde.txt",
"refsource": "MISC",
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"name": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"name": "https://www.exploit-db.com/exploits/46903",
"refsource": "MISC",
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"name": "https://cxsecurity.com/issue/WLB-2019050199",
"refsource": "MISC",
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"name": "https://bugs.horde.org/ticket/14926",
"refsource": "MISC",
"url": "https://bugs.horde.org/ticket/14926"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12094",
"datePublished": "2019-10-24T16:49:03",
"dateReserved": "2019-05-14T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4946 (GCVE-0-2014-4946)
Vulnerability from cvelistv5
Published
2014-07-14 14:00
Modified
2024-09-17 03:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/59772 | third-party-advisory, x_refsource_SECUNIA | |
| http://lists.horde.org/archives/announce/2014/001025.html | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/59770 | third-party-advisory, x_refsource_SECUNIA | |
| https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES | x_refsource_CONFIRM | |
| https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES | x_refsource_CONFIRM | |
| http://lists.horde.org/archives/announce/2014/001019.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "59772",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59772"
},
{
"name": "[announce] 20140707 [SECURITY] Horde Groupware Webmail Edition 5.1.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"name": "59770",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59770"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"name": "[announce] 20140707 [SECURITY] IMP 6.1.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-07-14T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "59772",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59772"
},
{
"name": "[announce] 20140707 [SECURITY] Horde Groupware Webmail Edition 5.1.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"name": "59770",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59770"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"name": "[announce] 20140707 [SECURITY] IMP 6.1.8 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "59772",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59772"
},
{
"name": "[announce] 20140707 [SECURITY] Horde Groupware Webmail Edition 5.1.5 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"name": "59770",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59770"
},
{
"name": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"name": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"name": "[announce] 20140707 [SECURITY] IMP 6.1.8 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4946",
"datePublished": "2014-07-14T14:00:00Z",
"dateReserved": "2014-07-14T00:00:00Z",
"dateUpdated": "2024-09-17T03:03:19.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-7218 (GCVE-0-2008-7218)
Vulnerability from cvelistv5
Published
2009-09-13 22:00
Modified
2024-08-07 11:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 has unknown impact and attack vectors.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T11:56:14.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce] 20080122 Kronolith H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"name": "[announce] 20080122 Mnemo H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"name": "[announce] 20080109 Nag H3 (2.1.4) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"name": "27217",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27217"
},
{
"name": "[announce] 20080109 Horde Groupware 1.0.3 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"name": "[announce] 20080206 Horde Groupware 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"name": "[announce] 20080122 Turba H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000367.html"
},
{
"name": "FEDORA-2008-2212",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"name": "[announce] 20080109 Horde 3.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000360.html"
},
{
"name": "[announce] 20080109 Mnemo H3 (2.1.2) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"name": "28382",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28382"
},
{
"name": "[announce] 20080206 Horde Groupware Webmail Edition 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"name": "[announce] 20080110 Horde Groupware Webmail Edition 1.0.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"name": "[announce] 20080109 Turba H3 (2.1.6) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000361.html"
},
{
"name": "horde-hordeapi-privilege-escalation(39599)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39599"
},
{
"name": "[announce] 20080122 Horde 3.2-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000374.html"
},
{
"name": "[announce] 20080109 Kronolith H3 (2.1.7) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"name": "[announce] 20080122 Nag H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
},
{
"name": "42775",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/42775"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 has unknown impact and attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[announce] 20080122 Kronolith H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"name": "[announce] 20080122 Mnemo H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"name": "[announce] 20080109 Nag H3 (2.1.4) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"name": "27217",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27217"
},
{
"name": "[announce] 20080109 Horde Groupware 1.0.3 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"name": "[announce] 20080206 Horde Groupware 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"name": "[announce] 20080122 Turba H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000367.html"
},
{
"name": "FEDORA-2008-2212",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"name": "[announce] 20080109 Horde 3.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000360.html"
},
{
"name": "[announce] 20080109 Mnemo H3 (2.1.2) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"name": "28382",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28382"
},
{
"name": "[announce] 20080206 Horde Groupware Webmail Edition 1.1-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"name": "[announce] 20080110 Horde Groupware Webmail Edition 1.0.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"name": "[announce] 20080109 Turba H3 (2.1.6) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000361.html"
},
{
"name": "horde-hordeapi-privilege-escalation(39599)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39599"
},
{
"name": "[announce] 20080122 Horde 3.2-RC2",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000374.html"
},
{
"name": "[announce] 20080109 Kronolith H3 (2.1.7) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"name": "[announce] 20080122 Nag H3 (2.2-RC2)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
},
{
"name": "42775",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/42775"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7218",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 has unknown impact and attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce] 20080122 Kronolith H3 (2.2-RC2)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"name": "[announce] 20080122 Mnemo H3 (2.2-RC2)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"name": "[announce] 20080109 Nag H3 (2.1.4) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"name": "27217",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27217"
},
{
"name": "[announce] 20080109 Horde Groupware 1.0.3 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"name": "[announce] 20080206 Horde Groupware 1.1-RC2",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"name": "[announce] 20080122 Turba H3 (2.2-RC2)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000367.html"
},
{
"name": "FEDORA-2008-2212",
"refsource": "FEDORA",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"name": "[announce] 20080109 Horde 3.1.6 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000360.html"
},
{
"name": "[announce] 20080109 Mnemo H3 (2.1.2) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"name": "28382",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28382"
},
{
"name": "[announce] 20080206 Horde Groupware Webmail Edition 1.1-RC2",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"name": "[announce] 20080110 Horde Groupware Webmail Edition 1.0.4 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"name": "[announce] 20080109 Turba H3 (2.1.6) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000361.html"
},
{
"name": "horde-hordeapi-privilege-escalation(39599)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39599"
},
{
"name": "[announce] 20080122 Horde 3.2-RC2",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000374.html"
},
{
"name": "[announce] 20080109 Kronolith H3 (2.1.7) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"name": "[announce] 20080122 Nag H3 (2.2-RC2)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
},
{
"name": "42775",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/42775"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-7218",
"datePublished": "2009-09-13T22:00:00",
"dateReserved": "2009-09-13T00:00:00",
"dateUpdated": "2024-08-07T11:56:14.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16906 (GCVE-0-2017-16906)
Vulnerability from cvelistv5
Published
2017-11-20 20:00
Modified
2024-08-05 20:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
References
| ▼ | URL | Tags |
|---|---|---|
| http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html | x_refsource_MISC | |
| https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d | x_refsource_CONFIRM | |
| https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2351-1] php-horde-kronolith security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a \"Calendar -\u003e New Event\" action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-29T21:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2351-1] php-horde-kronolith security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16906",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a \"Calendar -\u003e New Event\" action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html",
"refsource": "MISC",
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"name": "https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d",
"refsource": "CONFIRM",
"url": "https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d"
},
{
"name": "https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md",
"refsource": "MISC",
"url": "https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2351-1] php-horde-kronolith security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16906",
"datePublished": "2017-11-20T20:00:00",
"dateReserved": "2017-11-20T00:00:00",
"dateUpdated": "2024-08-05T20:35:21.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-4363 (GCVE-0-2009-4363)
Vulnerability from cvelistv5
Published
2009-12-21 16:00
Modified
2024-09-17 01:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."
References
| ▼ | URL | Tags |
|---|---|---|
| http://marc.info/?l=horde-announce&m=126100750018478&w=2 | mailing-list, x_refsource_MLIST | |
| http://lists.horde.org/archives/announce/2009/000529.html | mailing-list, x_refsource_MLIST | |
| http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&ty=h | x_refsource_CONFIRM | |
| http://bugs.horde.org/view.php?actionID=view_file&type=patch&file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch&ticket=8715 | x_refsource_CONFIRM | |
| http://marc.info/?l=horde-announce&m=126101076422179&w=2 | mailing-list, x_refsource_MLIST | |
| http://bugs.horde.org/ticket/8715 | x_refsource_CONFIRM | |
| http://securitytracker.com/id?1023365 | vdb-entry, x_refsource_SECTRACK |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:01:20.101Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce] 20091216 Horde Groupware 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"name": "[announce] 20091215 Horde 3.3.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.horde.org/view.php?actionID=view_file\u0026type=patch\u0026file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch\u0026ticket=8715"
},
{
"name": "[announce] 20091217 Horde Groupware Webmail Edition 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.horde.org/ticket/8715"
},
{
"name": "1023365",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1023365"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by \"an XSS vulnerability in Firefox browsers.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2009-12-21T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[announce] 20091216 Horde Groupware 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"name": "[announce] 20091215 Horde 3.3.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.horde.org/view.php?actionID=view_file\u0026type=patch\u0026file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch\u0026ticket=8715"
},
{
"name": "[announce] 20091217 Horde Groupware Webmail Edition 1.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.horde.org/ticket/8715"
},
{
"name": "1023365",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1023365"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-4363",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by \"an XSS vulnerability in Firefox browsers.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce] 20091216 Horde Groupware 1.2.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"name": "[announce] 20091215 Horde 3.3.6 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"name": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h",
"refsource": "CONFIRM",
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"name": "http://bugs.horde.org/view.php?actionID=view_file\u0026type=patch\u0026file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch\u0026ticket=8715",
"refsource": "CONFIRM",
"url": "http://bugs.horde.org/view.php?actionID=view_file\u0026type=patch\u0026file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch\u0026ticket=8715"
},
{
"name": "[announce] 20091217 Horde Groupware Webmail Edition 1.2.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"name": "http://bugs.horde.org/ticket/8715",
"refsource": "CONFIRM",
"url": "http://bugs.horde.org/ticket/8715"
},
{
"name": "1023365",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1023365"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-4363",
"datePublished": "2009-12-21T16:00:00Z",
"dateReserved": "2009-12-21T00:00:00Z",
"dateUpdated": "2024-09-17T01:20:38.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5567 (GCVE-0-2012-5567)
Vulnerability from cvelistv5
Published
2014-04-05 21:00
Modified
2024-08-06 21:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1) month, (2) monthlist, or (3) prevmonthlist fields, related to portal blocks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES | x_refsource_CONFIRM | |
| http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html | vendor-advisory, x_refsource_SUSE | |
| http://www.openwall.com/lists/oss-security/2012/11/23/3 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2012/11/23/7 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/51233 | third-party-advisory, x_refsource_SECUNIA | |
| http://lists.horde.org/archives/announce/2012/000836.html | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/51469 | third-party-advisory, x_refsource_SECUNIA | |
| https://bugzilla.redhat.com/show_bug.cgi?id=879684 | x_refsource_CONFIRM | |
| http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/56541 | vdb-entry, x_refsource_BID | |
| http://www.osvdb.org/87345 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:15.603Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES"
},
{
"name": "openSUSE-SU-2012:1625",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"name": "[oss-security] 20121123 CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"name": "51233",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51233"
},
{
"name": "[announce] 20121114 Kronolith H4 (3.0.18) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2012/000836.html"
},
{
"name": "51469",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51469"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=879684"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e"
},
{
"name": "56541",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56541"
},
{
"name": "87345",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/87345"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-11-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1) month, (2) monthlist, or (3) prevmonthlist fields, related to portal blocks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-05T19:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES"
},
{
"name": "openSUSE-SU-2012:1625",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"name": "[oss-security] 20121123 CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"name": "51233",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51233"
},
{
"name": "[announce] 20121114 Kronolith H4 (3.0.18) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2012/000836.html"
},
{
"name": "51469",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51469"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=879684"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e"
},
{
"name": "56541",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56541"
},
{
"name": "87345",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/87345"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5567",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1) month, (2) monthlist, or (3) prevmonthlist fields, related to portal blocks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES"
},
{
"name": "openSUSE-SU-2012:1625",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"name": "[oss-security] 20121123 CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"name": "[oss-security] 20121123 Re: CVE Request -- kronolith: Two sets (3.0.17 \u0026\u0026 3.0.18) of XSS flaws",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"name": "51233",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51233"
},
{
"name": "[announce] 20121114 Kronolith H4 (3.0.18) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2012/000836.html"
},
{
"name": "51469",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51469"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=879684",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=879684"
},
{
"name": "http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e",
"refsource": "CONFIRM",
"url": "http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e"
},
{
"name": "56541",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56541"
},
{
"name": "87345",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/87345"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5567",
"datePublished": "2014-04-05T21:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:14:15.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-6640 (GCVE-0-2012-6640)
Vulnerability from cvelistv5
Published
2014-04-05 21:00
Modified
2024-09-16 17:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than CVE-2012-5565.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.horde.org/archives/announce/2012/000775.html | mailing-list, x_refsource_MLIST | |
| https://github.com/horde/horde/commit/08c699f744b6d2be1a5f3a2ba7203f4631b4c5dc | x_refsource_CONFIRM | |
| http://lists.horde.org/archives/announce/2012/000840.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:36:01.866Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce] 20120626 IMP H4 (5.0.22) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2012/000775.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/commit/08c699f744b6d2be1a5f3a2ba7203f4631b4c5dc"
},
{
"name": "[announce] 20121114 Horde Groupware Webmail Edition 4.0.9 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than CVE-2012-5565."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-04-05T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[announce] 20120626 IMP H4 (5.0.22) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2012/000775.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/commit/08c699f744b6d2be1a5f3a2ba7203f4631b4c5dc"
},
{
"name": "[announce] 20121114 Horde Groupware Webmail Edition 4.0.9 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6640",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than CVE-2012-5565."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[announce] 20120626 IMP H4 (5.0.22) (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2012/000775.html"
},
{
"name": "https://github.com/horde/horde/commit/08c699f744b6d2be1a5f3a2ba7203f4631b4c5dc",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/commit/08c699f744b6d2be1a5f3a2ba7203f4631b4c5dc"
},
{
"name": "[announce] 20121114 Horde Groupware Webmail Edition 4.0.9 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6640",
"datePublished": "2014-04-05T21:00:00Z",
"dateReserved": "2014-04-05T00:00:00Z",
"dateUpdated": "2024-09-16T17:14:04.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-5303 (GCVE-0-2016-5303)
Vulnerability from cvelistv5
Published
2016-12-20 22:00
Modified
2024-08-06 01:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97 | x_refsource_CONFIRM | |
| http://marc.info/?l=horde-announce&m=147319066126665&w=2 | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=horde-announce&m=147319089526753&w=2 | mailing-list, x_refsource_MLIST | |
| https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/94997 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:00:57.550Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97"
},
{
"name": "[horde-announce] 20160906 [SECURITY] Horde Groupware 5.2.16 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319066126665\u0026w=2"
},
{
"name": "[horde-announce] 20160906 [SECURITY] Horde Groupware Webmail Edition 5.2.16 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319089526753\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424"
},
{
"name": "94997",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94997"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-22T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97"
},
{
"name": "[horde-announce] 20160906 [SECURITY] Horde Groupware 5.2.16 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319066126665\u0026w=2"
},
{
"name": "[horde-announce] 20160906 [SECURITY] Horde Groupware Webmail Edition 5.2.16 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319089526753\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424"
},
{
"name": "94997",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94997"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-5303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97"
},
{
"name": "[horde-announce] 20160906 [SECURITY] Horde Groupware 5.2.16 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=147319066126665\u0026w=2"
},
{
"name": "[horde-announce] 20160906 [SECURITY] Horde Groupware Webmail Edition 5.2.16 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=147319089526753\u0026w=2"
},
{
"name": "https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424"
},
{
"name": "94997",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94997"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-5303",
"datePublished": "2016-12-20T22:00:00",
"dateReserved": "2016-06-06T00:00:00",
"dateUpdated": "2024-08-06T01:00:57.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-1679 (GCVE-0-2007-1679)
Vulnerability from cvelistv5
Published
2007-03-26 23:00
Modified
2025-01-17 14:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages
References
| ▼ | URL | Tags |
|---|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/33228 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/archive/1/463819/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://securityreason.com/securityalert/2487 | third-party-advisory, x_refsource_SREASON | |
| http://www.securityfocus.com/bid/23136 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/463911/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:06:25.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "horde-search-rule-xss(33228)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33228"
},
{
"name": "20070325 Horde Webmail Multiple HTML Injection vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/463819/100/0/threaded"
},
{
"name": "2487",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/2487"
},
{
"name": "23136",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/23136"
},
{
"name": "20070326 Re: Horde Webmail Multiple HTML Injection vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/463911/100/0/threaded"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2007-1679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T20:16:46.267575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-17T14:17:13.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "horde-search-rule-xss(33228)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33228"
},
{
"name": "20070325 Horde Webmail Multiple HTML Injection vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/463819/100/0/threaded"
},
{
"name": "2487",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/2487"
},
{
"name": "23136",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/23136"
},
{
"name": "20070326 Re: Horde Webmail Multiple HTML Injection vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/463911/100/0/threaded"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-1679",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "horde-search-rule-xss(33228)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33228"
},
{
"name": "20070325 Horde Webmail Multiple HTML Injection vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/463819/100/0/threaded"
},
{
"name": "2487",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/2487"
},
{
"name": "23136",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/23136"
},
{
"name": "20070326 Re: Horde Webmail Multiple HTML Injection vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/463911/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-1679",
"datePublished": "2007-03-26T23:00:00",
"dateReserved": "2007-03-26T00:00:00",
"dateUpdated": "2025-01-17T14:17:13.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8807 (GCVE-0-2015-8807)
Vulnerability from cvelistv5
Published
2016-04-13 16:00
Modified
2024-08-06 08:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/02/06/4 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2016/02/06/5 | mailing-list, x_refsource_MLIST | |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.horde.org/archives/announce/2016/001149.html | mailing-list, x_refsource_MLIST | |
| https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253 | x_refsource_CONFIRM | |
| http://www.debian.org/security/2016/dsa-3496 | vendor-advisory, x_refsource_DEBIAN | |
| http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html | vendor-advisory, x_refsource_FEDORA | |
| http://lists.horde.org/archives/announce/2016/001148.html | mailing-list, x_refsource_MLIST | |
| https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:22.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160206 CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"name": "[oss-security] 20160206 Re: CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"name": "FEDORA-2016-3d1183830b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware Webmail Edition 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253"
},
{
"name": "DSA-3496",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3496"
},
{
"name": "FEDORA-2016-5d0e7f15ef",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-04-13T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160206 CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"name": "[oss-security] 20160206 Re: CVE Request: Horde: Two cross-site scripting vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"name": "FEDORA-2016-3d1183830b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware Webmail Edition 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253"
},
{
"name": "DSA-3496",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3496"
},
{
"name": "FEDORA-2016-5d0e7f15ef",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware 5.2.12 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8807",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160206 CVE Request: Horde: Two cross-site scripting vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"name": "[oss-security] 20160206 Re: CVE Request: Horde: Two cross-site scripting vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"name": "FEDORA-2016-3d1183830b",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware Webmail Edition 5.2.12 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"name": "https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253"
},
{
"name": "DSA-3496",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3496"
},
{
"name": "FEDORA-2016-5d0e7f15ef",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"name": "[announce] 20160202 [announce] [SECURITY] Horde Groupware 5.2.12 (final)",
"refsource": "MLIST",
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"name": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES",
"refsource": "CONFIRM",
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8807",
"datePublished": "2016-04-13T16:00:00",
"dateReserved": "2016-02-04T00:00:00",
"dateUpdated": "2024-08-06T08:29:22.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-15235 (GCVE-0-2017-15235)
Vulnerability from cvelistv5
Published
2017-10-11 03:00
Modified
2024-08-05 19:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.
References
| ▼ | URL | Tags |
|---|---|---|
| https://blogs.securiteam.com/index.php/archives/3454 | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2020/08/msg00050.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:50:16.388Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blogs.securiteam.com/index.php/archives/3454"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2352-1] php-horde-gollem security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00050.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-10-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-29T21:06:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blogs.securiteam.com/index.php/archives/3454"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2352-1] php-horde-gollem security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00050.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-15235",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blogs.securiteam.com/index.php/archives/3454",
"refsource": "MISC",
"url": "https://blogs.securiteam.com/index.php/archives/3454"
},
{
"name": "[debian-lts-announce] 20200829 [SECURITY] [DLA 2352-1] php-horde-gollem security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00050.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-15235",
"datePublished": "2017-10-11T03:00:00",
"dateReserved": "2017-10-10T00:00:00",
"dateUpdated": "2024-08-05T19:50:16.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8866 (GCVE-0-2020-8866)
Vulnerability from cvelistv5
Published
2020-03-23 20:15
Modified
2024-08-04 10:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-20-275/ | x_refsource_MISC | |
| https://lists.horde.org/archives/announce/2020/001288.html | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Horde | Groupware Webmail Edition |
Version: 5.2.22 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.981Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-275/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.horde.org/archives/announce/2020/001288.html"
},
{
"name": "[debian-lts-announce] 20200329 [SECURITY] [DLA 2162-1] php-horde-form security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Groupware Webmail Edition",
"vendor": "Horde",
"versions": [
{
"status": "affected",
"version": "5.2.22"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andrea Cardaci"
}
],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-30T00:06:08",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-275/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.horde.org/archives/announce/2020/001288.html"
},
{
"name": "[debian-lts-announce] 20200329 [SECURITY] [DLA 2162-1] php-horde-form security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "zdi-disclosures@trendmicro.com",
"ID": "CVE-2020-8866",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Groupware Webmail Edition",
"version": {
"version_data": [
{
"version_value": "5.2.22"
}
]
}
}
]
},
"vendor_name": "Horde"
}
]
}
},
"credit": "Andrea Cardaci",
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125."
}
]
},
"impact": {
"cvss": {
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-434: Unrestricted Upload of File with Dangerous Type"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-20-275/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-275/"
},
{
"name": "https://lists.horde.org/archives/announce/2020/001288.html",
"refsource": "MISC",
"url": "https://lists.horde.org/archives/announce/2020/001288.html"
},
{
"name": "[debian-lts-announce] 20200329 [SECURITY] [DLA 2162-1] php-horde-form security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2020-8866",
"datePublished": "2020-03-23T20:15:17",
"dateReserved": "2020-02-11T00:00:00",
"dateUpdated": "2024-08-04T10:12:10.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7413 (GCVE-0-2017-7413)
Vulnerability from cvelistv5
Published
2017-04-04 14:00
Modified
2024-08-05 16:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html | x_refsource_CONFIRM | |
| https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"name": "[debian-lts-announce] 20180627 [SECURITY] [DLA 1398-1] php-horde-crypt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-28T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"name": "[debian-lts-announce] 20180627 [SECURITY] [DLA 1398-1] php-horde-crypt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7413",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html",
"refsource": "CONFIRM",
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"name": "[debian-lts-announce] 20180627 [SECURITY] [DLA 1398-1] php-horde-crypt security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7413",
"datePublished": "2017-04-04T14:00:00",
"dateReserved": "2017-04-03T00:00:00",
"dateUpdated": "2024-08-05T16:04:11.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-3695 (GCVE-0-2010-3695)
Vulnerability from cvelistv5
Published
2011-03-31 22:00
Modified
2024-08-07 03:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:18:52.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[announce] 20100928 Horde Groupware Webmail Edition 1.2.7 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"name": "43515",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/43515"
},
{
"name": "DSA-2204",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2011/dsa-2204"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"name": "[oss-security] 20101001 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde\u0026r1=1.699.2.424\u0026r2=1.699.2.430\u0026ty=h"
},
{
"name": "20100927 XSS in Horde IMP \u003c=4.3.7, fetchmailprefs.php",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/513992/100/0/threaded"
},
{
"name": "20100927 XSS in Horde IMP \u003c=4.3.7, fetchmailprefs.php",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html"
},
{
"name": "[announce] 20100928 IMP H3 (4.3.8) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.horde.org/archives/announce/2010/000558.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"name": "ADV-2011-0769",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2011/0769"
},
{
"name": "8170",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/8170"
},
{
"name": "41627",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/41627"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=641069"
},
{
"name": "ADV-2010-2513",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
},
{
"name": "43896",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/43896"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-09-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-10T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[announce] 20100928 Horde Groupware Webmail Edition 1.2.7 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"name": "43515",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/43515"
},
{
"name": "DSA-2204",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2011/dsa-2204"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"name": "[oss-security] 20101001 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde\u0026r1=1.699.2.424\u0026r2=1.699.2.430\u0026ty=h"
},
{
"name": "20100927 XSS in Horde IMP \u003c=4.3.7, fetchmailprefs.php",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/513992/100/0/threaded"
},
{
"name": "20100927 XSS in Horde IMP \u003c=4.3.7, fetchmailprefs.php",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html"
},
{
"name": "[announce] 20100928 IMP H3 (4.3.8) (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.horde.org/archives/announce/2010/000558.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"name": "ADV-2011-0769",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2011/0769"
},
{
"name": "8170",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/8170"
},
{
"name": "41627",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/41627"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=641069"
},
{
"name": "ADV-2010-2513",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"name": "[oss-security] 20100930 Re: CVE request: Horde Gollem \u003c1.1.2 XSS in view.php",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
},
{
"name": "43896",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/43896"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-3695",
"datePublished": "2011-03-31T22:00:00",
"dateReserved": "2010-10-01T00:00:00",
"dateUpdated": "2024-08-07T03:18:52.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-3237 (GCVE-0-2009-3237)
Vulnerability from cvelistv5
Published
2009-09-17 10:00
Modified
2024-08-07 06:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME "text parts" that are not properly handled in the MIME viewer library (config/mime_drivers.php).
References
| ▼ | URL | Tags |
|---|---|---|
| http://marc.info/?l=horde-announce&m=125294558611682&w=2 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/36665 | third-party-advisory, x_refsource_SECUNIA | |
| http://bugs.horde.org/ticket/?id=8311 | x_refsource_CONFIRM | |
| http://bugs.horde.org/ticket/?id=8399 | x_refsource_CONFIRM | |
| http://marc.info/?l=horde-announce&m=125292314007049&w=2 | mailing-list, x_refsource_MLIST | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/53202 | vdb-entry, x_refsource_XF | |
| http://www.osvdb.org/58109 | vdb-entry, x_refsource_OSVDB | |
| http://marc.info/?l=horde-announce&m=125295852706029&w=2 | mailing-list, x_refsource_MLIST | |
| http://www.osvdb.org/58108 | vdb-entry, x_refsource_OSVDB | |
| http://marc.info/?l=horde-announce&m=125291625030436&w=2 | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=horde-announce&m=125292339907481&w=2 | mailing-list, x_refsource_MLIST | |
| http://marc.info/?l=horde-announce&m=125292088004087&w=2 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T06:22:23.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"name": "36665",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/36665"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.horde.org/ticket/?id=8311"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.horde.org/ticket/?id=8399"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"name": "horde-mimeviewer-xss(53200)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"name": "58109",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/58109"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"name": "58108",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/58108"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.3.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME \"text parts\" that are not properly handled in the MIME viewer library (config/mime_drivers.php)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"name": "36665",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/36665"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.horde.org/ticket/?id=8311"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.horde.org/ticket/?id=8399"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"name": "horde-mimeviewer-xss(53200)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"name": "58109",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/58109"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.2.4 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"name": "58108",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/58108"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.2.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.3.5 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.1.6 (final)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2009-3237",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME \"text parts\" that are not properly handled in the MIME viewer library (config/mime_drivers.php)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.2.4 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"name": "36665",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/36665"
},
{
"name": "http://bugs.horde.org/ticket/?id=8311",
"refsource": "CONFIRM",
"url": "http://bugs.horde.org/ticket/?id=8311"
},
{
"name": "http://bugs.horde.org/ticket/?id=8399",
"refsource": "CONFIRM",
"url": "http://bugs.horde.org/ticket/?id=8399"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.1.6 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"name": "horde-mimeviewer-xss(53200)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"name": "58109",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/58109"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware Webmail Edition 1.2.4 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"name": "58108",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/58108"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.2.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] [SECURITY] Horde 3.3.5 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"name": "[horde-announce] 20090914 [announce] Horde Groupware 1.1.6 (final)",
"refsource": "MLIST",
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2009-3237",
"datePublished": "2009-09-17T10:00:00",
"dateReserved": "2009-09-16T00:00:00",
"dateUpdated": "2024-08-07T06:22:23.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-9858 (GCVE-0-2019-9858)
Vulnerability from cvelistv5
Published
2019-05-29 16:26
Modified
2024-08-04 22:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it's never submitted by the forms, which default to securely using a random path.)
References
| ▼ | URL | Tags |
|---|---|---|
| https://ssd-disclosure.com/?p=3814&preview=true | x_refsource_MISC | |
| http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html | mailing-list, x_refsource_MLIST | |
| https://www.debian.org/security/2019/dsa-4468 | vendor-advisory, x_refsource_DEBIAN | |
| https://seclists.org/bugtraq/2019/Jun/31 | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:01:55.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
},
{
"name": "[debian-lts-announce] 20190616 [SECURITY] [DLA 1822-1] php-horde-form security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
},
{
"name": "DSA-4468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4468"
},
{
"name": "20190624 [SECURITY] [DSA 4468-1] php-horde-form security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Jun/31"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it\u0027s never submitted by the forms, which default to securely using a random path.)"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-24T08:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
},
{
"name": "[debian-lts-announce] 20190616 [SECURITY] [DLA 1822-1] php-horde-form security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
},
{
"name": "DSA-4468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4468"
},
{
"name": "20190624 [SECURITY] [DSA 4468-1] php-horde-form security update",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "https://seclists.org/bugtraq/2019/Jun/31"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-9858",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it\u0027s never submitted by the forms, which default to securely using a random path.)"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://ssd-disclosure.com/?p=3814\u0026preview=true",
"refsource": "MISC",
"url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
},
{
"name": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
},
{
"name": "[debian-lts-announce] 20190616 [SECURITY] [DLA 1822-1] php-horde-form security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
},
{
"name": "DSA-4468",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4468"
},
{
"name": "20190624 [SECURITY] [DSA 4468-1] php-horde-form security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Jun/31"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-9858",
"datePublished": "2019-05-29T16:26:06",
"dateReserved": "2019-03-18T00:00:00",
"dateUpdated": "2024-08-04T22:01:55.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2009-12-21 16:30
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:application_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CD5438E-7D99-4286-81F3-1A304E9A7BDA",
"versionEndIncluding": "3.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2D3532FD-0E85-4EDC-A3A7-76F8BA915B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D39B3B91-16B9-4B5B-AB4E-9BA568CC1E5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ACBE1BB3-EAB6-4388-95C2-0513B0D6A327",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8B402F70-BAAD-44D6-B414-F615F973DC9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F1F2DA0C-C8A3-429C-83C7-B2983D3FF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7535FE38-0FBD-48CC-9FDE-C7CA2C18CA24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A14A770E-60BC-4698-8BFC-5FB745A52279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.4_rc1:*:*:*:*:*:*:*",
"matchCriteriaId": "23A0AA21-C88D-45C4-9D95-414B2278E601",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE35AF8-CA38-42FB-BA32-057BCA2CA2AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C91CA767-F49D-48E9-80CE-78B65DD14DF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CEC8BBFC-263E-4735-847D-5544D18922E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8DB1F389-5D64-4B8C-B207-7D23F0C12DBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8892DF-11F2-4991-97E8-D561DEAC4F5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B46B6F5-055E-44EB-BB78-503811C0E57C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "66B197B0-F3B7-40D6-9872-C1A94622C242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2698E2D7-09BF-4490-B362-4245CD3087D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A3B40A46-117D-4D85-8CC8-27236A3280C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "FEFBECFF-D1A4-465D-B59F-E70246DE4BE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "57ABD1BD-6676-4B54-9F3E-FACF1346794F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "79EC6167-5D16-4236-8EBC-412EE1784802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5A4F6A2A-05B6-42EA-8F61-D0AB610A6757",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1F91CDA-B425-4DB2-89E4-12267B600D13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7A8BB743-A760-4C72-880C-759E54FB7CF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89477FCC-C925-418A-A3FF-F5B02736600C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5862181-4CE7-452F-8877-41E099440188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E601FE-94F1-48AD-A0F2-42824A3A4FC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BDE2B06C-EDBD-4FA1-90AA-148E39EF5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CF33A8-C497-4C86-8C5D-7181597BEC53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "30B312DB-14BE-425C-9B07-0CBED6F39E2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A2CF2865-CA12-4C4C-9BEC-7A97E6AAB377",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF389AE4-D2AD-4992-BFBD-68FB1CBEE50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5611B7D8-8AEF-42A8-8132-39CE773A7C18",
"versionEndIncluding": "1.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "904EEFF0-CF66-43E6-BAA9-1A6FB4115CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5611B7D8-8AEF-42A8-8132-39CE773A7C18",
"versionEndIncluding": "1.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E55009DF-EDF1-4FAE-88E7-1CF33BFFEBC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "980162BB-48B3-4921-987A-6D18C62965A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "904EEFF0-CF66-43E6-BAA9-1A6FB4115CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C95E9B57-2DB0-4692-A7D1-180EC3687D1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6E7D8683-8DD4-4EB0-A28F-0C556304BB2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9F68E5D5-7812-4FB2-ACF9-76180B038D80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "37B76B27-ADF0-4E88-B92C-304FB38A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "965F245A-879A-4DF0-ABC5-588E78C4CBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3DCB29F9-3875-4264-8117-5751FEDC3350",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "59FC250F-EF0B-4604-99A2-3EEB8B2DEB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAF1A6AE-0748-476B-ACE2-DA43A9443B7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F577A169-8354-4218-B3C6-04DA4BDF1E3C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en el interfaz de administraci\u00f3n en Horde Application Framework versiones anteriores a v3.3.6, Horde Groupware versiones anteriores a v1.2.5, y Horde Groupware Webmail Edition versiones anteriores a v1.2.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n mediante el PATH_INFO en (1) phpshell.php, (2) cmdshell.php, o (3) sqlshell.php en admin/, relacionado con la variable PHP_SELF."
}
],
"id": "CVE-2009-3701",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-12-21T16:30:00.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.html"
},
{
"source": "cve@mitre.org",
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"source": "cve@mitre.org",
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37709"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37823"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1023365"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/508531/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/37351"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3549"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3572"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54817"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37709"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/37823"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1023365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/508531/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/37351"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3549"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2009/3572"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54817"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-23 21:15
Modified
2024-11-21 05:39
Severity ?
Summary
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| zdi-disclosures@trendmicro.com | https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html | Mailing List, Third Party Advisory | |
| zdi-disclosures@trendmicro.com | https://www.zerodayinitiative.com/advisories/ZDI-20-276/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.zerodayinitiative.com/advisories/ZDI-20-276/ | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 5.2.22 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.22:*:*:*:webmail:*:*:*",
"matchCriteriaId": "13EBB673-7F7D-402E-9791-7974AC24B529",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469."
},
{
"lang": "es",
"value": "Esta vulnerabilidad permite a atacantes remotos ejecutar archivos PHP locales sobre las instalaciones afectadas de Horde Groupware Webmail Edition versi\u00f3n 5.2.22. Es requerida una autenticaci\u00f3n para explotar esta vulnerabilidad. El fallo espec\u00edfico se presenta dentro del archivo edit.php. Cuando se analiza el par\u00e1metro params[template], el proceso no comprueba apropiadamente una ruta suministrada por el usuario antes de usarla en operaciones de archivo. Un atacante puede aprovechar esto en conjunto con otras vulnerabilidades para ejecutar c\u00f3digo en el contexto del usuario www-data. Fue ZDI-CAN-10469."
}
],
"id": "CVE-2020-8865",
"lastModified": "2024-11-21T05:39:35.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "zdi-disclosures@trendmicro.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-23T21:15:12.567",
"references": [
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html"
},
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-276/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00009.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-276/"
}
],
"sourceIdentifier": "zdi-disclosures@trendmicro.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "zdi-disclosures@trendmicro.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-14 04:15
Modified
2024-11-21 05:57
Severity ?
Summary
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "9B749CF0-3995-4FFF-BA34-35D7C889AD78",
"versionEndIncluding": "5.2.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \\x00\\x00\\x00 and \\x01\\x01\\x01 interferes with XSS defenses."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema de tipo XSS en Horde Groupware Webmail Edition versiones hasta 5.2.22 (donde es usada la biblioteca Horde_Text_Filter versiones anteriores a 2.3.7).\u0026#xa0;El atacante puede enviar un mensaje de correo electr\u00f3nico de texto plano, con JavaScript codificado como un enlace o correo electr\u00f3nico que es manejado apropiadamente por la funci\u00f3n preProcess en el archivo Text2html.php, porque el uso personalizado de \\x00\\x00\\x00 y \\x01\\x01\\x01 interfiere con las defensas de XSS"
}
],
"id": "CVE-2021-26929",
"lastModified": "2024-11-21T05:57:04.023",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-14T04:15:12.777",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/horde/webmail/releases"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2021/001298.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.alexbirnberg.com/horde-xss.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://www.horde.org/apps/webmail"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/horde/webmail/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2021/001298.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.alexbirnberg.com/horde-xss.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.horde.org/apps/webmail"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-04-04 12:27
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:imp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "313CF637-CA8F-4AC0-BE3D-9D7B4125D81E",
"versionEndIncluding": "4.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8D2A8C5B-6155-4B40-B8C8-B4944064E3DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D11E08A4-79D6-46FE-880F-66E9778C298E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55A3894F-2E3F-49CA-BEE5-759D603F6EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDDBDC41-7E6F-4C97-95BD-7DEB2D9FE837",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B52D447-8E56-4E04-9650-38D222DA8D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1C455353-0401-4975-89BC-C23D32A684F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C1D9D9E1-D8B7-4A56-BC2F-90BDC97322B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59DE856E-98FF-4B49-BD7F-3E326FEB89EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6ED34889-9F98-46BC-9176-557484272C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B7FBC61D-6A08-4DE8-A5E5-A3FC57E7759D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52AEEE6-2364-4CFB-9337-C5CCA54362E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AD137160-B80D-4C65-A9A9-CEE12107E3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4E6C2AC8-C21A-4152-AAE6-915ACE65CB5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1956C8F0-EB91-4322-85C1-6BE15AA13703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A48DEBEB-0C2D-4F6A-AF63-04990D2FD5AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8E004FA4-0180-458A-8E8C-8167EF684ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1F0A1617-17D1-4C9F-A818-27321FD2FEAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D86CDC19-43C3-4ACC-94B4-388BCC8A2203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E9931A5B-CD0C-43A3-B32D-915FF4AF57D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC69F98-A3B4-4573-AFE4-2069218B3454",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4D0137-3515-4857-8E70-4600CD2D4278",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A59756D1-3401-4B15-8B68-AA68B5BC3223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "73FD31BC-651B-461F-B9F4-6CA8D5CCE583",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "184592A5-4108-40DB-8882-9D2468490DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "28470602-E3F1-4F04-B012-F91AB95E7A68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6B584932-BFB2-4462-BC69-B9FCC059F59F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "702F7A33-CF9E-4966-B622-E4BD27B120AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FF1BB456-5462-4ACE-AECF-730B1C7BE2CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D23A341-217D-4AF2-AC61-DFC9761AFE3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C129AAEE-5388-4D81-AC1F-570EFF27EF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "01CBF0CE-7133-4281-842C-3584AE13F36D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "373263B9-D967-4A9B-A062-FC841061E143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "05FAFC4C-8E72-4EA5-930F-6F76CCD0138A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F91A26C3-D538-4935-90FF-DDD5E8733968",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1F9064E7-6081-4B23-BC03-21E6F483FA53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3E60BFE2-B3E4-416F-9697-58D912907E86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4C5D659-E2C1-444D-8B5C-28970D830F1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "72D702C7-2789-4837-BC74-59570B13B4C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1A363643-3EF2-4F05-A934-0187AF846D51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4611791C-DA55-4F37-9030-1BEA17D0D817",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2C5EC486-EF14-43DF-9152-69456E0FE271",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D82E23DB-0652-4BA9-9D9A-0107BEC1EA31",
"versionEndIncluding": "1.2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E55009DF-EDF1-4FAE-88E7-1CF33BFFEBC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "980162BB-48B3-4921-987A-6D18C62965A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "904EEFF0-CF66-43E6-BAA9-1A6FB4115CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C95E9B57-2DB0-4692-A7D1-180EC3687D1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6E7D8683-8DD4-4EB0-A28F-0C556304BB2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9F68E5D5-7812-4FB2-ACF9-76180B038D80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "37B76B27-ADF0-4E88-B92C-304FB38A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "965F245A-879A-4DF0-ABC5-588E78C4CBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3DCB29F9-3875-4264-8117-5751FEDC3350",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "59FC250F-EF0B-4604-99A2-3EEB8B2DEB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAF1A6AE-0748-476B-ACE2-DA43A9443B7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F577A169-8354-4218-B3C6-04DA4BDF1E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1FAFD66F-81F7-48F9-87F0-E394F55A1288",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA91C75-69CF-45AE-AF23-ADE9259B7C9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en fetchmailprefs.php en Horde IMP antes de v4.3.8, y Horde Groupware Webmail Edition anterior a v1.2.7, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de los campos ( 1 ) nombre de usuario (tambi\u00e9n conocido como fmusername ), ( 2 ) contrase\u00f1a ( fmpassword alias ), o (3 ) servidor ( tambi\u00e9n conocido como fmserver ) de la acci\u00f3n fetchmail_prefs_save, relacionados con la configuraci\u00f3n de Fetchmail, una cuesti\u00f3n diferente a CVE - 2010-3695. NOTA: algunos de estos detalles han sido obtenidos de informaci\u00f3n de terceros.."
}
],
"id": "CVE-2010-4778",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-04-04T12:27:36.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-13 22:30
Modified
2025-04-09 00:30
Severity ?
Summary
Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has unknown impact and attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 1.0 | |
| horde | groupware | 1.0.1 | |
| horde | groupware | 1.0.2 | |
| horde | groupware | 1.1 | |
| horde | groupware_webmail_edition | 1.0 | |
| horde | groupware_webmail_edition | 1.0.2 | |
| horde | groupware_webmail_edition | 1.0.3 | |
| horde | groupware_webmail_edition | 1.1 | |
| horde | kronolith_h3 | 2.1 | |
| horde | kronolith_h3 | 2.1.1 | |
| horde | kronolith_h3 | 2.1.2 | |
| horde | kronolith_h3 | 2.1.3 | |
| horde | kronolith_h3 | 2.1.4 | |
| horde | kronolith_h3 | 2.1.5 | |
| horde | kronolith_h3 | 2.1.6 | |
| horde | kronolith_h3 | 2.2 | |
| horde | mnemo_h3 | 2.1 | |
| horde | mnemo_h3 | 2.1.1 | |
| horde | mnemo_h3 | 2.2 | |
| horde | nag_h3 | 2.1 | |
| horde | nag_h3 | 2.1.1 | |
| horde | nag_h3 | 2.1.2 | |
| horde | nag_h3 | 2.1.3 | |
| horde | nag_h3 | 2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A30F59C-D09A-495D-B5E5-E908D913164E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B013D26B-BE67-4131-B320-EF87D19E9C67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "664B0D12-607C-4B5F-AC8E-FB1BBD1332E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "46ADF628-449A-463E-A459-69FD9DB2ADAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "391F88AC-0D1B-4F13-874C-6FD3C6E90CE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5E6E0C-7E94-4187-B53B-1BBB73C23EE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDCD1651-0610-4338-9EA6-343865AA9F86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6F6A557A-EC2D-40AF-88C7-208DB4E8FA5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "733B59F3-1648-4875-9A9B-EC3BCA49BCEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "012BBA79-F969-405E-BBC8-FDC23DE25012",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5A06B44D-9448-4C96-BD37-790DA9842BE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9B67D985-950E-42B5-BA8D-05AE8A3EE3EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:mnemo_h3:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C2814A27-E3C4-4A69-8FEB-E4900CD9876D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:mnemo_h3:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D4CAC140-EA0B-4FFD-B8E7-3295623C6D81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:mnemo_h3:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "38397885-FDB3-4454-BFBB-2B28173FEC79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "08307428-AE78-453B-A121-15AEB7049EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "195D72BA-A0A6-4568-BC67-77A44F9E0697",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3F7853DA-0958-401B-83C6-E35FACA4AAF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2BD1454-1D33-4026-A7F6-ADB358D3DC73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "184A2E09-5784-44C4-A5D9-87EA906F86E1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has unknown impact and attack vectors."
},
{
"lang": "es",
"value": "Horde Kronolith H3 v2.1 anterior v2.1.7 y v2.2 anterior v2.2-RC2; Nag H3 v2.1 anterior v2.1.4 y 2.2 anterior v2.2-RC2; Mnemo H3 v2.1 anterior v2.1.2 y H3 2.2 anterior v2.2-RC2; Groupware v1.0 anterior v1.0.3 y v1.1 anterior v1.1-RC2; y Groupware Webmail Edition v1.0 anterior v1.0.4 y v1.1 anterior v1.1-RC2, no valida las propiedades al compartir cambios, con un impacto y vectores de ataque desconocidos."
}
],
"id": "CVE-2008-7219",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-13T22:30:00.420",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28382"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27217"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28382"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-11-19 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | * | |
| horde | groupware | * | |
| horde | horde_application_framework | * | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF7D0049-BC4B-4AAB-88A9-29B4DF202DAD",
"versionEndExcluding": "5.2.11",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "A718E8E7-A300-4753-B2E6-02C41ED796DD",
"versionEndExcluding": "5.2.11",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C998570-A707-4AE9-AB33-11455C9262B5",
"versionEndExcluding": "5.2.8",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de CSRF en Horde en versiones anteriores a 5.2.8, Horde Groupware en versiones anteriores a 5.2.11 y Horde Groupware Webmail Edition en versiones anteriores a 5.2.11 permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para peticiones que ejecutan (1) comandos a trav\u00e9s del par\u00e1metro cmd a admin/cmdshell.php, (2) consultas SQL a trav\u00e9s del par\u00e1metro sql a admin/sqlshell.php o (3) c\u00f3digo PHP a trav\u00e9s del par\u00e1metro php a admin/phpshell.php arbitrarios."
}
],
"id": "CVE-2015-7984",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-11-19T20:59:09.223",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2015/001124.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2015/001137.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2015/001138.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3391"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/38765/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23272"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2015/001124.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2015/001137.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2015/001138.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3391"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/38765/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23272"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-23 21:15
Modified
2024-11-21 05:39
Severity ?
Summary
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| zdi-disclosures@trendmicro.com | https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html | Mailing List, Third Party Advisory | |
| zdi-disclosures@trendmicro.com | https://lists.horde.org/archives/announce/2020/001288.html | Mailing List, Vendor Advisory | |
| zdi-disclosures@trendmicro.com | https://www.zerodayinitiative.com/advisories/ZDI-20-275/ | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.horde.org/archives/announce/2020/001288.html | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.zerodayinitiative.com/advisories/ZDI-20-275/ | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 5.2.22 | |
| horde | horde_form | * | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.22:*:*:*:webmail:*:*:*",
"matchCriteriaId": "13EBB673-7F7D-402E-9791-7974AC24B529",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_form:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65DB0EAC-4A7F-4805-A30D-38F0AE22BFB6",
"versionEndExcluding": "2.0.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125."
},
{
"lang": "es",
"value": "Esta vulnerabilidad permite a atacantes remotos crear archivos arbitrarios sobre las instalaciones afectadas de Horde Groupware Webmail Edition versi\u00f3n 5.2.22. Es requerida una autenticaci\u00f3n para explotar esta vulnerabilidad. El fallo espec\u00edfico se presenta dentro del archivo add.php. El problema es debido a la falta de una comprobaci\u00f3n apropiada de los datos suministrados por el usuario, lo que puede permitir la carga de archivos arbitrarios. Un atacante puede aprovechar esto en conjunto con otras vulnerabilidades para ejecutar c\u00f3digo en el contexto del usuario www-data. Fue ZDI-CAN-10125."
}
],
"id": "CVE-2020-8866",
"lastModified": "2024-11-21T05:39:35.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "zdi-disclosures@trendmicro.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-23T21:15:12.643",
"references": [
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html"
},
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001288.html"
},
{
"source": "zdi-disclosures@trendmicro.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-275/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00036.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001288.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-275/"
}
],
"sourceIdentifier": "zdi-disclosures@trendmicro.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "zdi-disclosures@trendmicro.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-05 21:55
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than CVE-2012-5565.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | * | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0.1 | |
| horde | groupware | 4.0.2 | |
| horde | groupware | 4.0.3 | |
| horde | groupware | 4.0.4 | |
| horde | groupware | 4.0.5 | |
| horde | groupware | 4.0.6 | |
| horde | groupware | 4.0.7 | |
| horde | imp | * | |
| horde | imp | 5.0 | |
| horde | imp | 5.0 | |
| horde | imp | 5.0 | |
| horde | imp | 5.0 | |
| horde | imp | 5.0 | |
| horde | imp | 5.0.1 | |
| horde | imp | 5.0.2 | |
| horde | imp | 5.0.3 | |
| horde | imp | 5.0.4 | |
| horde | imp | 5.0.5 | |
| horde | imp | 5.0.6 | |
| horde | imp | 5.0.7 | |
| horde | imp | 5.0.8 | |
| horde | imp | 5.0.9 | |
| horde | imp | 5.0.10 | |
| horde | imp | 5.0.11 | |
| horde | imp | 5.0.12 | |
| horde | imp | 5.0.13 | |
| horde | imp | 5.0.14 | |
| horde | imp | 5.0.15 | |
| horde | imp | 5.0.16 | |
| horde | imp | 5.0.17 | |
| horde | imp | 5.0.18 | |
| horde | imp | 5.0.19 | |
| horde | imp | 5.0.20 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:webamail:*:*:*:*:*",
"matchCriteriaId": "E888C8C2-27C5-4BD0-9EEE-750DF5DE6488",
"versionEndIncluding": "4.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:*:webamail:*:*:*:*:*",
"matchCriteriaId": "F505E80A-B91C-401C-9B77-F34B00ECA434",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc1:webamail:*:*:*:*:*",
"matchCriteriaId": "A9129D4A-F365-4630-976A-DBFBBEA531FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc2:webamail:*:*:*:*:*",
"matchCriteriaId": "C910D464-66B3-4593-A7D8-3FD3EADB9AFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.1:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A6A67FDD-C9CE-43E4-ADD9-DB5699BEF61C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.2:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A1158FCA-2AAB-4EC4-9B34-F1B44DDA4FA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.3:*:webamail:*:*:*:*:*",
"matchCriteriaId": "2A0A5DB9-3731-466D-8D0F-7BE71A34184B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.4:*:webamail:*:*:*:*:*",
"matchCriteriaId": "5D07339E-54B9-4513-82EB-0FB53AD5B82B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.5:*:webamail:*:*:*:*:*",
"matchCriteriaId": "717CB664-818F-4583-83FF-47B167993569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.6:*:webamail:*:*:*:*:*",
"matchCriteriaId": "185839EF-1F07-4C2C-B710-FD607EAD0A71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.7:*:webamail:*:*:*:*:*",
"matchCriteriaId": "29D96163-C022-4DBD-8B94-746665B99A73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:imp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2C4F200B-F579-4B46-BECB-284FA36393F4",
"versionEndIncluding": "5.0.21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD07BF20-09CE-4D32-A935-8EAA8363356F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "1B91647A-F174-4F2E-992E-BDA23B2E3545",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "126DFFE7-AD9F-41E8-8AA0-C0F9CE80271A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B02F8BA6-4A13-48CA-BAC9-F8C932453EF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "20AA91CC-4B6C-4BC9-9730-C613300702AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EE8E0715-9A6B-4A7C-9A6F-4B7A344B0968",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "382D599B-09EC-4C2A-8F23-EB5D03C4AA5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "15348E42-1A70-4787-95B0-9EDB100BB36C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "353AD017-60F5-4168-B672-17EF90CDCB64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "9BBB960F-026D-4C40-BC61-0D963C9E25E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D3990B-339B-498A-A5B5-780DA8A0ABD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF27F1F-F405-47F8-9486-E86555D61B7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8B2E22CB-E82E-4203-B9E9-4BDA58C9A5EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1FE4D6BE-11F3-468E-8CB2-44AA1B3BA7FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "74EE40AB-753A-4109-AE27-7BDD78B047A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "5A03CD8B-C101-4737-B435-B43D543E6335",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "4D3C95A9-E61E-45BF-9FBD-EBE16F4B3189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "94B7724A-D3D2-4511-9E44-E0C71E049854",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "40F93E89-8B6D-4A1F-BBD9-B154B5489236",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "BF189F04-60A6-4D80-BCCD-B405F35AAE1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "FA984AF6-BE4F-4F23-9D42-3B05B05F6FA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "7B27528A-1090-4834-808C-39202BFB2A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "09A43FBB-5345-4D86-B5A2-885DEDDEF70A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "981F83E1-6D69-401D-9F11-9A8A2036BF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "823C5DDE-2853-472C-9367-2E7E1E97D61C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than CVE-2012-5565."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Horde Internet Mail Program (IMP) anterior a 5.0.22, utilizado en Horde Groupware Webmail Edition anterior a 4.0.9, permite a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de un adjunto de imagen SVG manipulado, una vulnerabilidad diferente a CVE-2012-5565."
}
],
"id": "CVE-2012-6640",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-04-05T21:55:06.330",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.horde.org/archives/announce/2012/000775.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/commit/08c699f744b6d2be1a5f3a2ba7203f4631b4c5dc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2012/000775.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/commit/08c699f744b6d2be1a5f3a2ba7203f4631b4c5dc"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-04-27 19:05
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 1.0.5 | |
| horde | groupware_webmail_edition | 1.0.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "842159D1-E30C-4077-8E92-07979E52C10B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de \u00f3rdenes en sitios cruzados (XSS) en addevent.php de Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, y Groupware 1.0.5 permite a atacantes remotos inyectar \u0027script\u0027 web o HTML de su elecci\u00f3n mediante el par\u00e1metro \"url\"."
}
],
"id": "CVE-2008-1974",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-04-27T19:05:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://forum.aria-security.com/showthread.php?t=49"
},
{
"source": "cve@mitre.org",
"url": "http://lists.horde.org/archives/kronolith/Week-of-Mon-20080421/006807.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/51238"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29920"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/30649"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3831"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/491230/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/28898"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1019934"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/1373/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41974"
},
{
"source": "cve@mitre.org",
"url": "https://www.debian.org/security/2008/dsa-1560"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00427.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00444.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://forum.aria-security.com/showthread.php?t=49"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/kronolith/Week-of-Mon-20080421/006807.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/51238"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29920"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/30649"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3831"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/491230/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/28898"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1019934"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/1373/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41974"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2008/dsa-1560"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00427.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-June/msg00444.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-05 21:55
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file, related to the dynamic view.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | imp | * | |
| horde | imp | 5.0.4 | |
| horde | imp | 5.0.5 | |
| horde | imp | 5.0.6 | |
| horde | imp | 5.0.7 | |
| horde | imp | 5.0.8 | |
| horde | imp | 5.0.9 | |
| horde | imp | 5.0.10 | |
| horde | imp | 5.0.11 | |
| horde | imp | 5.0.12 | |
| horde | imp | 5.0.13 | |
| horde | imp | 5.0.14 | |
| horde | imp | 5.0.15 | |
| horde | imp | 5.0.16 | |
| horde | imp | 5.0.17 | |
| horde | imp | 5.0.18 | |
| horde | imp | 5.0.19 | |
| horde | imp | 5.0.20 | |
| horde | imp | 5.0.21 | |
| horde | imp | 5.0.22 | |
| horde | groupware | * | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0.1 | |
| horde | groupware | 4.0.2 | |
| horde | groupware | 4.0.3 | |
| horde | groupware | 4.0.4 | |
| horde | groupware | 4.0.5 | |
| horde | groupware | 4.0.6 | |
| horde | groupware | 4.0.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:imp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E28CB330-C845-4E68-989E-807B16726CC7",
"versionEndIncluding": "5.0.23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "353AD017-60F5-4168-B672-17EF90CDCB64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "9BBB960F-026D-4C40-BC61-0D963C9E25E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B0D3990B-339B-498A-A5B5-780DA8A0ABD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "CAF27F1F-F405-47F8-9486-E86555D61B7D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8B2E22CB-E82E-4203-B9E9-4BDA58C9A5EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1FE4D6BE-11F3-468E-8CB2-44AA1B3BA7FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "74EE40AB-753A-4109-AE27-7BDD78B047A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "5A03CD8B-C101-4737-B435-B43D543E6335",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "4D3C95A9-E61E-45BF-9FBD-EBE16F4B3189",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "94B7724A-D3D2-4511-9E44-E0C71E049854",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "40F93E89-8B6D-4A1F-BBD9-B154B5489236",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "BF189F04-60A6-4D80-BCCD-B405F35AAE1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "FA984AF6-BE4F-4F23-9D42-3B05B05F6FA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "7B27528A-1090-4834-808C-39202BFB2A18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "09A43FBB-5345-4D86-B5A2-885DEDDEF70A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "981F83E1-6D69-401D-9F11-9A8A2036BF6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "823C5DDE-2853-472C-9367-2E7E1E97D61C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "1E513887-24D1-4F94-9948-F355F9778CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:5.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "58D4656C-5230-4155-9435-FFFB6E9F515F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:webamail:*:*:*:*:*",
"matchCriteriaId": "E888C8C2-27C5-4BD0-9EEE-750DF5DE6488",
"versionEndIncluding": "4.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:*:webamail:*:*:*:*:*",
"matchCriteriaId": "F505E80A-B91C-401C-9B77-F34B00ECA434",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc1:webamail:*:*:*:*:*",
"matchCriteriaId": "A9129D4A-F365-4630-976A-DBFBBEA531FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc2:webamail:*:*:*:*:*",
"matchCriteriaId": "C910D464-66B3-4593-A7D8-3FD3EADB9AFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.1:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A6A67FDD-C9CE-43E4-ADD9-DB5699BEF61C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.2:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A1158FCA-2AAB-4EC4-9B34-F1B44DDA4FA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.3:*:webamail:*:*:*:*:*",
"matchCriteriaId": "2A0A5DB9-3731-466D-8D0F-7BE71A34184B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.4:*:webamail:*:*:*:*:*",
"matchCriteriaId": "5D07339E-54B9-4513-82EB-0FB53AD5B82B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.5:*:webamail:*:*:*:*:*",
"matchCriteriaId": "717CB664-818F-4583-83FF-47B167993569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.6:*:webamail:*:*:*:*:*",
"matchCriteriaId": "185839EF-1F07-4C2C-B710-FD607EAD0A71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.7:*:webamail:*:*:*:*:*",
"matchCriteriaId": "29D96163-C022-4DBD-8B94-746665B99A73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file, related to the dynamic view."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en js/compose-dimp.js en Horde Internet Mail Program (IMP) anterior a 5.0.24, utilizado en Horde Groupware Webmail Edition anterior a 4.0.9, permite a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de un nombre manipulado para un archivo adjunto, relacionado con la visualizaci\u00f3n din\u00e1mica."
}
],
"id": "CVE-2012-5565",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-04-05T21:55:06.190",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://lists.horde.org/archives/announce/2012/000833.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00020.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/6"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2012/000833.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2012/000840.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-05 14:15
Modified
2024-11-21 01:59
Severity ?
Summary
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 5.1.2 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "36EBEA90-C1D6-4AFE-B04D-F085986F8B92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book"
},
{
"lang": "es",
"value": "Horde Groupware Webmail Edition, presenta una vulnerabilidad de tipo CSRF y XSS, cuando se guarda una b\u00fasqueda como una libreta de direcciones virtual."
}
],
"id": "CVE-2013-6364",
"lastModified": "2024-11-21T01:59:04.577",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-05T14:15:13.037",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/29519"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6364"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/archive/1/529589"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/29519"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6364"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/archive/1/529589"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-04-13 16:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | debian_linux | 8.0 | |
| horde | groupware | * | |
| horde | horde_groupware | * | |
| fedoraproject | fedora | 22 | |
| fedoraproject | fedora | 23 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E7704728-F087-409B-81FB-B8BCB7C69FF8",
"versionEndIncluding": "5.2.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:*:*:*:*:webmail_edition:*:*:*",
"matchCriteriaId": "509F0679-0B78-413E-BA9F-1CF0C06CD044",
"versionEndIncluding": "5.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en horde/templates/topbar/_menubar.html.php en Horde Groupware en versiones anteriores a 5.2.12 y Horde Groupware Webmail Edition en versiones anteriores a 5.2.12 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro searchfield, como ha quedado demostrado por una petici\u00f3n a xplorer/gollem/manager.php."
}
],
"id": "CVE-2016-2228",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-04-13T16:59:12.207",
"references": [
{
"source": "security@debian.org",
"url": "http://bugs.horde.org/ticket/14213"
},
{
"source": "security@debian.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"source": "security@debian.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"source": "security@debian.org",
"url": "http://www.debian.org/security/2016/dsa-3497"
},
{
"source": "security@debian.org",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"source": "security@debian.org",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"source": "security@debian.org",
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
},
{
"source": "security@debian.org",
"tags": [
"Exploit"
],
"url": "https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.horde.org/ticket/14213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3497"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-14 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "457A127F-2D18-4FAC-A51F-6B10BBC59C40",
"versionEndIncluding": "5.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.0:*:*:*:webmail:*:*:*",
"matchCriteriaId": "74C2C13C-0014-4E45-B459-50B7005C828D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.0:rc1:*:*:webmail:*:*:*",
"matchCriteriaId": "3C63CC65-6B19-4B8D-A4DC-3B0C3055E8A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.1:*:*:*:webmail:*:*:*",
"matchCriteriaId": "A09D1D89-A623-442E-9261-F58031BB517D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "6C36F237-9CBF-4E9E-A1DF-ABCB0187E725",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.3:*:*:*:webmail:*:*:*",
"matchCriteriaId": "9103D5DE-E24A-476F-AEE9-68E3736E1C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.4:*:*:*:webmail:*:*:*",
"matchCriteriaId": "2F5106E5-050E-443C-9A67-0210AA01FE35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.5:*:*:*:webmail:*:*:*",
"matchCriteriaId": "0ABE42CD-F4E3-4255-985D-6AC712231134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.0:*:*:*:webmail:*:*:*",
"matchCriteriaId": "693E0F58-A378-4A85-94B1-66709A557623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.0:rc1:*:*:webmail:*:*:*",
"matchCriteriaId": "FB8CD370-1B28-4E95-A357-C0476458A0F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.1:*:*:*:webmail:*:*:*",
"matchCriteriaId": "D3203790-5230-4F8F-AE5E-F2D48B0B1767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "36EBEA90-C1D6-4AFE-B04D-F085986F8B92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.3:*:*:*:webmail:*:*:*",
"matchCriteriaId": "3E2F5341-D61A-4FDB-99DE-4B65B6F333C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D59AF1C6-0EA7-48DC-BD3E-5611DF294DFE",
"versionEndIncluding": "6.1.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB663F3-317F-4E02-8D6A-15185000BF41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "F86A6088-11EA-414A-96FD-214295554AF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "590B012A-3F3F-45AD-ACBC-FEA6FC6EB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "6B30DDA2-DC2B-4FBD-B0AE-9622A5C6FA89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "39293A85-A727-40F1-8C22-6F6FFC850ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "224409A7-9D51-4D7C-B0F1-FA55F2C247FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9AFE6FAC-13F9-4DF7-809E-02D5A88E1993",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3EEAAFA4-6E8F-433F-818E-3A39F794885F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FEB9545C-58ED-4A7D-A740-C7AE458751DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8CF5F1D9-D61A-4935-81A6-131C814F04F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "12D4458F-4155-465D-AC29-51C163528D4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "10E16364-A584-4CD5-A408-B78D738A4772",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7A5769FE-7950-487D-B648-6EE2BB3D5777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "754CB9EA-E5D6-431C-93FD-0536CD5DAC26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "C4539C8B-5A8C-4C95-9073-2FA7DE4BD367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "CCE65FD3-06FB-4D8B-B84A-260907B1C950",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C533F92C-BB57-4BB3-89DB-CD67B9738444",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BCFD6FBF-164F-4A0D-A121-4FC365FC0393",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EBB97A81-2BD4-4830-B13E-ADD56B2E6178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "88DAB3CC-1C43-4CA2-B63A-2FE962B2638A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C6C4A3CF-71A4-401B-8DDB-D24202781F49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8340BBB6-EF39-449D-80F3-BAF6F107D429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1768F80C-0098-44A1-B14D-85865FD0F013",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en Horde Internet Mail Program (IMP) anterior a 6.1.8, utilizado en Horde Groupware Webmail Edition anterior a 5.1.5, permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de (1) indicadores no especificados o (2) un nombre de buz\u00f3n en la visualizaci\u00f3n din\u00e1mica de buzones."
}
],
"id": "CVE-2014-4946",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-07-14T14:55:07.590",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59770"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59772"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59770"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59772"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-20 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md | Exploit, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "19922FDE-5ACF-4BDA-A569-E8579F047E60",
"versionEndIncluding": "5.2.22",
"versionStartIncluding": "5.2.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a \"Calendar -\u003e New Event\" action."
},
{
"lang": "es",
"value": "En Horde Groupware 5.2.19-5.2.22, existe XSS mediante el campo URL en una acci\u00f3n \"Calendar -\u003e New Event\"."
}
],
"id": "CVE-2017-16906",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-20T20:29:00.340",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-17 10:30
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME "text parts" that are not properly handled in the MIME viewer library (config/mime_drivers.php).
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "88BE4BD4-174C-4EC5-BCE7-CA63D1369043",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0D32C974-121E-4FAB-8E39-2933C912935F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "60A02DC9-3602-43B2-8574-15A6D4528142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "61F847C8-7775-4FC0-BBE1-C56DFC3D9A63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C1ECC0C8-DE09-4079-8476-B0C82ABE980A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8ADA6AAC-7511-47F6-B805-A5C48BA4CD11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9B3CB720-A1C0-4E49-BA2C-02283499F252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3CE83C51-175E-4FB9-BA2B-505A8B559D44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "172260F8-D4E5-470D-84EA-00B88B090A8B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_application_framework:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "51487521-E1DB-4CD0-9071-C9449EFB681E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "26FB18AE-EDA5-48DF-9592-9970FFD3C72F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "30FF79BF-E978-49BF-BF07-DF4A75C6E52F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "633B142D-AAF2-49EE-B152-C1C4524E4543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E8CFFA11-C38E-4F92-8BF2-223B97911E0B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4C4151CC-DC68-4883-91E2-712D9FD0C160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7F359B33-A791-4792-9CD3-BA551F1291DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "16F105C6-75E5-4BD8-A7A2-0DB31B6F5498",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "2187B702-3598-4353-81AA-EBDCC3E48A97",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde_groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "52D84C54-EAFF-4368-ADEF-589F95EA6BD5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "37B76B27-ADF0-4E88-B92C-304FB38A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "965F245A-879A-4DF0-ABC5-588E78C4CBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3DCB29F9-3875-4264-8117-5751FEDC3350",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "59FC250F-EF0B-4604-99A2-3EEB8B2DEB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAF1A6AE-0748-476B-ACE2-DA43A9443B7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F577A169-8354-4218-B3C6-04DA4BDF1E3C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME \"text parts\" that are not properly handled in the MIME viewer library (config/mime_drivers.php)."
},
{
"lang": "es",
"value": "M\u00faltiple vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Horde Application Framework desde v3.2 anteriores a v3.2.5 y desde v3.3 anteriores a v3.3.5; Groupware desde v1.1 anteriores a v1.1.6 y 1.2 anteriores a v1.2.4; y Groupware Webmail Edition desde v1.1 anteriores a v1.1.6 y desde v1.2 anteriores a v1.2.4; permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a trav\u00e9s de (1) preferencias num\u00e9ricas manipuladas que no han sido adecuadamente gestionadas en el sistema de preferencias (services/prefs.php), como quedo demostrado por el par\u00e1metro sidebar_width o (2) \"fragmentos de texto\" MIME desconocidos manipulados que no son gestionados adecuadamente por la librer\u00eda de visor de MIME (config/mime_drivers.php)."
}
],
"id": "CVE-2009-3237",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-17T10:30:01.390",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.horde.org/ticket/?id=8311"
},
{
"source": "cve@mitre.org",
"url": "http://bugs.horde.org/ticket/?id=8399"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36665"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/58108"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/58109"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.horde.org/ticket/?id=8311"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.horde.org/ticket/?id=8399"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/58108"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/58109"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-13 22:30
Modified
2025-04-09 00:30
Severity ?
Summary
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 has unknown impact and attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 1.0 | |
| horde | groupware | 1.0.1 | |
| horde | groupware | 1.0.2 | |
| horde | groupware | 1.1 | |
| horde | groupware_webmail_edition | 1.0 | |
| horde | groupware_webmail_edition | 1.0.2 | |
| horde | groupware_webmail_edition | 1.0.3 | |
| horde | groupware_webmail_edition | 1.1 | |
| horde | horde | 3.1 | |
| horde | horde | 3.1.1 | |
| horde | horde | 3.1.2 | |
| horde | horde | 3.1.3 | |
| horde | horde | 3.1.4 | |
| horde | horde | 3.1.5 | |
| horde | horde | 3.2 | |
| horde | kronolith_h3 | 2.1 | |
| horde | kronolith_h3 | 2.1.1 | |
| horde | kronolith_h3 | 2.1.2 | |
| horde | kronolith_h3 | 2.1.3 | |
| horde | kronolith_h3 | 2.1.4 | |
| horde | kronolith_h3 | 2.1.5 | |
| horde | kronolith_h3 | 2.1.6 | |
| horde | kronolith_h3 | 2.2 | |
| horde | mnemo_h3 | 2.1 | |
| horde | mnemo_h3 | 2.1.1 | |
| horde | mnemo_h3 | 2.2 | |
| horde | nag_h3 | 2.1 | |
| horde | nag_h3 | 2.1.1 | |
| horde | nag_h3 | 2.1.2 | |
| horde | nag_h3 | 2.1.3 | |
| horde | nag_h3 | 2.2 | |
| horde | turba_h3 | 2.1 | |
| horde | turba_h3 | 2.1.1 | |
| horde | turba_h3 | 2.1.2 | |
| horde | turba_h3 | 2.1.3 | |
| horde | turba_h3 | 2.1.4 | |
| horde | turba_h3 | 2.1.5 | |
| horde | turba_h3 | 2.2 | |
| horde | turba_h3 | 2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1A30F59C-D09A-495D-B5E5-E908D913164E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B013D26B-BE67-4131-B320-EF87D19E9C67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "664B0D12-607C-4B5F-AC8E-FB1BBD1332E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "46ADF628-449A-463E-A459-69FD9DB2ADAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D589E22C-7F87-43EF-B5FF-DC2B43E5252C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "57AD38FB-23DF-406D-8889-E9EB18D22C57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "35BECCFA-1E18-41ED-882A-5C743D970EC0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C0285D4F-8CD8-48F9-9D68-A80E8742BAC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B3808FD9-126C-422F-AFE4-4FF6E1366431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "96A4F9E2-7978-4C82-9BD3-B6B73C4918E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "457276C8-6665-48C5-948C-E65E6309C0ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "391F88AC-0D1B-4F13-874C-6FD3C6E90CE3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5E6E0C-7E94-4187-B53B-1BBB73C23EE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDCD1651-0610-4338-9EA6-343865AA9F86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6F6A557A-EC2D-40AF-88C7-208DB4E8FA5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "733B59F3-1648-4875-9A9B-EC3BCA49BCEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "012BBA79-F969-405E-BBC8-FDC23DE25012",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5A06B44D-9448-4C96-BD37-790DA9842BE6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h3:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9B67D985-950E-42B5-BA8D-05AE8A3EE3EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:mnemo_h3:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C2814A27-E3C4-4A69-8FEB-E4900CD9876D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:mnemo_h3:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D4CAC140-EA0B-4FFD-B8E7-3295623C6D81",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:mnemo_h3:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "38397885-FDB3-4454-BFBB-2B28173FEC79",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "08307428-AE78-453B-A121-15AEB7049EAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "195D72BA-A0A6-4568-BC67-77A44F9E0697",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3F7853DA-0958-401B-83C6-E35FACA4AAF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C2BD1454-1D33-4026-A7F6-ADB358D3DC73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:nag_h3:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "184A2E09-5784-44C4-A5D9-87EA906F86E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD583BAE-8123-40B9-8A68-96725A86EBF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EE9CA86E-B688-495F-8233-69632B56E1FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "56B99A86-A8A6-474E-B54F-9F010FFE7C91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "88F73B3B-DB27-40F9-BCC2-E5ACC10F2A1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4035BF4B-64F9-4A0D-82D0-99276B8B7010",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6D808D3F-9332-4667-838C-CD545EDAD37B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "73C0F1DE-D2CB-4FA1-89FA-2C6E0991FDDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_h3:2.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "6E649CA6-3EBD-40A4-860F-08141F8FB9D2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 has unknown impact and attack vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en el API de Horde v3.1 anterior a v3.1.6 y v3.2 anterior a v3.2 anterior a v3.2-RC2; Turba H3 v2.1 anterior a v2.1.6 y v2.2 anterior a v2.2-RC2; Kronolith H3 2.1 anterior a v2.1.7 y H3 v2.2 anterior a v2.2-RC2; Nag H3 v2.1 anterior a v2.1.4 y v2.2 anterior a v2.2-RC2; Mnemo H3 v2.1 anterior a v2.1.2 y v2.2 anterior a v2.2-RC2; Horde Groupware v1.0 anterior a v1.0.3 y v1.1 anterior a v1.1-RC2; y Groupware Webmail Edition v1.0 anterior a v1.0.4 y v1.1 anterior a v1.1-RC2; tiene impacto y vectores de ataque desconocidos."
}
],
"id": "CVE-2008-7218",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-13T22:30:00.360",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000360.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.horde.org/archives/announce/2008/000361.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000367.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000374.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28382"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/42775"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/27217"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39599"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000360.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2008/000361.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000362.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000363.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000364.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000365.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000366.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000367.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000368.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000369.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000371.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000374.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000376.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000377.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28382"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/42775"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/27217"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00176.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-03-11 00:44
Modified
2025-04-09 00:30
Severity ?
Summary
Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1FCA87DD-0549-4B2F-B1F4-46632258A059",
"versionEndIncluding": "1.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77138B08-A680-4FEC-873F-6E25B05D44CB",
"versionEndIncluding": "1.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "93944D77-B65B-48F4-9334-8FC9B1D96F53",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via \"..\" sequences and a null byte in the theme name."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en Horde 3.1.6, Groupware anterior 1.0.5, y Groupware Webmail Edition anterior 1.0.6, cuando ejecuta ciertas configuraciones, pertmite a usuarios autenticados remotamente leer y ejecutar ficheros de su elecci\u00f3n a trav\u00e9s de secuencias \"..\" y de byte nulo en el mismo \"theme name\"."
}
],
"id": "CVE-2008-1284",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-03-11T00:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000382.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.horde.org/archives/announce/2008/000383.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.horde.org/archives/announce/2008/000384.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29286"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29374"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29400"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30047"
},
{
"source": "cve@mitre.org",
"url": "http://security.gentoo.org/glsa/glsa-200805-01.xml"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3726"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1519"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/489239/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/489289/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28153"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0822/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41054"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00253.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00301.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000382.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2008/000383.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2008/000384.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29374"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29400"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/30047"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://security.gentoo.org/glsa/glsa-200805-01.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3726"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1519"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/489239/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/489289/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/28153"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0822/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41054"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00253.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00301.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-09-17 10:30
Modified
2025-04-09 00:30
Severity ?
Summary
The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files and execute PHP code via crafted Horde_Form_Type_image form field elements.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | application_framework | 3.2 | |
| horde | application_framework | 3.2.1 | |
| horde | application_framework | 3.2.2 | |
| horde | application_framework | 3.2.3 | |
| horde | application_framework | 3.2.4 | |
| horde | application_framework | 3.3 | |
| horde | application_framework | 3.3.1 | |
| horde | application_framework | 3.3.2 | |
| horde | application_framework | 3.3.3 | |
| horde | application_framework | 3.3.4 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1.1 | |
| horde | groupware | 1.1.2 | |
| horde | groupware | 1.1.3 | |
| horde | groupware | 1.1.4 | |
| horde | groupware | 1.1.5 | |
| horde | groupware | 1.2 | |
| horde | groupware | 1.2 | |
| horde | groupware | 1.2.1 | |
| horde | groupware | 1.2.2 | |
| horde | groupware | 1.2.3 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1.1 | |
| horde | groupware | 1.1.2 | |
| horde | groupware | 1.1.3 | |
| horde | groupware | 1.1.4 | |
| horde | groupware | 1.1.5 | |
| horde | groupware | 1.2 | |
| horde | groupware | 1.2 | |
| horde | groupware | 1.2.1 | |
| horde | groupware | 1.2.2 | |
| horde | groupware | 1.2.3 | |
| horde | groupware | 1.2.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1F91CDA-B425-4DB2-89E4-12267B600D13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7A8BB743-A760-4C72-880C-759E54FB7CF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89477FCC-C925-418A-A3FF-F5B02736600C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5862181-4CE7-452F-8877-41E099440188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E601FE-94F1-48AD-A0F2-42824A3A4FC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BDE2B06C-EDBD-4FA1-90AA-148E39EF5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CF33A8-C497-4C86-8C5D-7181597BEC53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "30B312DB-14BE-425C-9B07-0CBED6F39E2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A2CF2865-CA12-4C4C-9BEC-7A97E6AAB377",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF389AE4-D2AD-4992-BFBD-68FB1CBEE50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "37B76B27-ADF0-4E88-B92C-304FB38A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "965F245A-879A-4DF0-ABC5-588E78C4CBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3DCB29F9-3875-4264-8117-5751FEDC3350",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "59FC250F-EF0B-4604-99A2-3EEB8B2DEB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F577A169-8354-4218-B3C6-04DA4BDF1E3C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files and execute PHP code via crafted Horde_Form_Type_image form field elements."
},
{
"lang": "es",
"value": "La biblioteca de formularios en Horde Application Framework versi\u00f3n 3.2 anterior a 3.2.5 y versi\u00f3n 3.3 anterior a 3.3.5; Groupware versi\u00f3n 1.1 anterior a 1.1.6 y versi\u00f3n 1.2 anterior a 1.2.4; y Groupware Webmail Edition versi\u00f3n 1.1 anterior a 1.1.6 y versi\u00f3n 1.2 anterior a 1.2.4; reutiliza los nombres de archivo temporales durante el proceso de carga, lo que permite a los atacantes remotos, con privilegios para escribir en la libreta de direcciones, sobrescribir archivos arbitrarios y ejecutar c\u00f3digo PHP por medio de elementos de campo de formulario Horde_Form_Type_image creados."
}
],
"id": "CVE-2009-3236",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2009-09-17T10:30:01.360",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36665"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36882"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2009/dsa-1897"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/58107"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125291625030436\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292088004087\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292314007049\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125292339907481\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125294558611682\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=125295852706029\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/36882"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2009/dsa-1897"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/58107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/53202"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-05 19:15
Modified
2024-11-21 01:58
Severity ?
Summary
Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "34FE2DF4-96B1-4339-A7DE-76F29AF48CA8",
"versionEndIncluding": "5.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php."
},
{
"lang": "es",
"value": "M\u00faltiples problemas de tipo CSRF en Horde Groupware Webmail Edition versi\u00f3n 5.1.2 y anteriores en el archivo basic.php."
}
],
"id": "CVE-2013-6275",
"lastModified": "2024-11-21T01:58:56.190",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-05T19:15:10.337",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/29274"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/63377"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1029285"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88321"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.exploit-db.com/exploits/29274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/63377"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1029285"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/88321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6275"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-04 14:59
Modified
2025-04-20 01:37
Severity ?
Summary
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "A5C49058-0038-4215-A7D3-0CAB04D4A95D",
"versionEndIncluding": "5.2.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address."
},
{
"lang": "es",
"value": "En Horde_Crypt en versiones anteriores a 2.7.6, como se utiliza en Horde Groupware Webmail Edition hasta la versi\u00f3n 5.2.17, OS Comand Inyection puede ocurrir si el atacante es un usuario autenticado Horde Webmail, tiene caracter\u00edsticas PGP habilitado en sus preferencias,e intenta cifrar un correo electr\u00f3nico a una maliciosa direcci\u00f3n de correo electr\u00f3nico manipulada."
}
],
"id": "CVE-2017-7413",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-04T14:59:00.303",
"references": [
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-05 14:15
Modified
2024-11-21 01:59
Severity ?
Summary
Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 5.1.2 | |
| opensuse | opensuse | 13.1 | |
| opensuse | opensuse | 13.2 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "36EBEA90-C1D6-4AFE-B04D-F085986F8B92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions"
},
{
"lang": "es",
"value": "Horde Groupware Web mail versi\u00f3n 5.1.2, presenta una vulnerabilidad de tipo CSRF con peticiones para cambiar permisos."
}
],
"id": "CVE-2013-6365",
"lastModified": "2024-11-21T01:59:04.740",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-05T14:15:13.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/cve/CVE-2013-6365"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6365"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/archive/1/529590"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/cve/CVE-2013-6365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2013-6365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/archive/1/529590"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-04 14:59
Modified
2025-04-20 01:37
Severity ?
Summary
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 5.0.0 | |
| horde | groupware | 5.0.0 | |
| horde | groupware | 5.0.1 | |
| horde | groupware | 5.0.2 | |
| horde | groupware | 5.0.3 | |
| horde | groupware | 5.0.4 | |
| horde | groupware | 5.0.5 | |
| horde | groupware | 5.1.0 | |
| horde | groupware | 5.1.0 | |
| horde | groupware | 5.1.1 | |
| horde | groupware | 5.1.2 | |
| horde | groupware | 5.1.3 | |
| horde | groupware | 5.1.4 | |
| horde | groupware | 5.1.5 | |
| horde | groupware | 5.2.0 | |
| horde | groupware | 5.2.0 | |
| horde | groupware | 5.2.1 | |
| horde | groupware | 5.2.2 | |
| horde | groupware | 5.2.3 | |
| horde | groupware | 5.2.4 | |
| horde | groupware | 5.2.5 | |
| horde | groupware | 5.2.6 | |
| horde | groupware | 5.2.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.0:*:*:*:webmail:*:*:*",
"matchCriteriaId": "74C2C13C-0014-4E45-B459-50B7005C828D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.0:rc1:*:*:webmail:*:*:*",
"matchCriteriaId": "3C63CC65-6B19-4B8D-A4DC-3B0C3055E8A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.1:*:*:*:webmail:*:*:*",
"matchCriteriaId": "A09D1D89-A623-442E-9261-F58031BB517D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "6C36F237-9CBF-4E9E-A1DF-ABCB0187E725",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.3:*:*:*:webmail:*:*:*",
"matchCriteriaId": "9103D5DE-E24A-476F-AEE9-68E3736E1C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.4:*:*:*:webmail:*:*:*",
"matchCriteriaId": "2F5106E5-050E-443C-9A67-0210AA01FE35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.5:*:*:*:webmail:*:*:*",
"matchCriteriaId": "0ABE42CD-F4E3-4255-985D-6AC712231134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.0:*:*:*:webmail:*:*:*",
"matchCriteriaId": "693E0F58-A378-4A85-94B1-66709A557623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.0:rc1:*:*:webmail:*:*:*",
"matchCriteriaId": "FB8CD370-1B28-4E95-A357-C0476458A0F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.1:*:*:*:webmail:*:*:*",
"matchCriteriaId": "D3203790-5230-4F8F-AE5E-F2D48B0B1767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "36EBEA90-C1D6-4AFE-B04D-F085986F8B92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.3:*:*:*:webmail:*:*:*",
"matchCriteriaId": "3E2F5341-D61A-4FDB-99DE-4B65B6F333C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.4:*:*:*:webmail:*:*:*",
"matchCriteriaId": "4ADEB382-91FB-4664-9569-BFBBFD0577D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.5:*:*:*:webmail:*:*:*",
"matchCriteriaId": "A74B6B18-FFD3-4B38-B828-84178B0BEA4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.0:*:*:*:webmail:*:*:*",
"matchCriteriaId": "2D8D3E4C-4AE6-4168-9865-8D3D19746B45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.0:rc1:*:*:webmail:*:*:*",
"matchCriteriaId": "427CB5A7-2344-4BF2-A741-1E0A6A4972AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.1:*:*:*:webmail:*:*:*",
"matchCriteriaId": "E6A8F086-D6B2-4CFB-8493-C40707E8E04D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "C08B8F45-34B5-46C7-B333-20413E8B4AA8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.3:*:*:*:webmail:*:*:*",
"matchCriteriaId": "7D963CE7-E4DD-4FFE-83A0-39D465B9B59C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.4:*:*:*:webmail:*:*:*",
"matchCriteriaId": "D12CBE60-F694-44C2-91E5-4676D7F80168",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.5:*:*:*:webmail:*:*:*",
"matchCriteriaId": "601DED27-8DD8-4B8E-89A9-1A883594D237",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.6:*:*:*:webmail:*:*:*",
"matchCriteriaId": "E47C6EF6-5006-40D6-BEFD-AEAE61200711",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.7:*:*:*:webmail:*:*:*",
"matchCriteriaId": "E6670DC6-A5F2-4C70-A13F-012125B71012",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user\u0027s preferences, and has enabled the \"Should PGP signed messages be automatically verified when viewed?\" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it."
},
{
"lang": "es",
"value": "En Horde_Crypt en versiones anteriores a 2.7.6, como se utiliza en Horde Groupware Webmail Edition 5.x hasta la versi\u00f3n 5.2.17, OS puede ocurrir si el usuario tiene activadas las caracter\u00edsticas de PGP en las preferencias del usuario y ha activado la preferencia \"\u00bfDeber\u00edan verificarse autom\u00e1ticamente los mensajes firmados de PGP cuando se visualizan?\". Para aprovechar esta vulnerabilidad, un atacante puede enviar un correo electr\u00f3nico firmado por PGP (que se ha creado de manera malintencionada) al usuario de la Horda, que debe verlo o visualizarlo."
}
],
"id": "CVE-2017-7414",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-04T14:59:00.337",
"references": [
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-24 18:15
Modified
2024-11-21 04:22
Severity ?
Summary
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "9B749CF0-3995-4FFF-BA34-35D7C889AD78",
"versionEndIncluding": "5.2.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload."
},
{
"lang": "es",
"value": "Horde Trean, como se utiliza en Horde Groupware Webmail Edition a trav\u00e9s de 5.2.22 y otros productos, permite CSRF, como lo demuestra el par\u00e1metro treanBookmarkTags al trean / URI en un servidor de correo web. NOTA: treanBookmarkTags podr\u00eda, por ejemplo, ser una carga \u00fatil XSS almacenada."
}
],
"id": "CVE-2019-12095",
"lastModified": "2024-11-21T04:22:11.353",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-24T18:15:11.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.horde.org/ticket/14926"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161333"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.horde.org/ticket/14926"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161333"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46903"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2009-12-21 16:30
Modified
2025-04-09 00:30
Severity ?
Summary
Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:application_framework:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5CD5438E-7D99-4286-81F3-1A304E9A7BDA",
"versionEndIncluding": "3.3.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2D3532FD-0E85-4EDC-A3A7-76F8BA915B6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D39B3B91-16B9-4B5B-AB4E-9BA568CC1E5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ACBE1BB3-EAB6-4388-95C2-0513B0D6A327",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8B402F70-BAAD-44D6-B414-F615F973DC9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F1F2DA0C-C8A3-429C-83C7-B2983D3FF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "7535FE38-0FBD-48CC-9FDE-C7CA2C18CA24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A14A770E-60BC-4698-8BFC-5FB745A52279",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.4_rc1:*:*:*:*:*:*:*",
"matchCriteriaId": "23A0AA21-C88D-45C4-9D95-414B2278E601",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8AE35AF8-CA38-42FB-BA32-057BCA2CA2AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C91CA767-F49D-48E9-80CE-78B65DD14DF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CEC8BBFC-263E-4735-847D-5544D18922E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8DB1F389-5D64-4B8C-B207-7D23F0C12DBE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BE8892DF-11F2-4991-97E8-D561DEAC4F5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B46B6F5-055E-44EB-BB78-503811C0E57C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "66B197B0-F3B7-40D6-9872-C1A94622C242",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2698E2D7-09BF-4490-B362-4245CD3087D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A3B40A46-117D-4D85-8CC8-27236A3280C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "FEFBECFF-D1A4-465D-B59F-E70246DE4BE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "57ABD1BD-6676-4B54-9F3E-FACF1346794F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "79EC6167-5D16-4236-8EBC-412EE1784802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5A4F6A2A-05B6-42EA-8F61-D0AB610A6757",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1F91CDA-B425-4DB2-89E4-12267B600D13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7A8BB743-A760-4C72-880C-759E54FB7CF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "89477FCC-C925-418A-A3FF-F5B02736600C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D5862181-4CE7-452F-8877-41E099440188",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E601FE-94F1-48AD-A0F2-42824A3A4FC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BDE2B06C-EDBD-4FA1-90AA-148E39EF5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5CF33A8-C497-4C86-8C5D-7181597BEC53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "30B312DB-14BE-425C-9B07-0CBED6F39E2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A2CF2865-CA12-4C4C-9BEC-7A97E6AAB377",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:application_framework:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DF389AE4-D2AD-4992-BFBD-68FB1CBEE50B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5611B7D8-8AEF-42A8-8132-39CE773A7C18",
"versionEndIncluding": "1.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "904EEFF0-CF66-43E6-BAA9-1A6FB4115CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5611B7D8-8AEF-42A8-8132-39CE773A7C18",
"versionEndIncluding": "1.2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E55009DF-EDF1-4FAE-88E7-1CF33BFFEBC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "980162BB-48B3-4921-987A-6D18C62965A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "904EEFF0-CF66-43E6-BAA9-1A6FB4115CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C95E9B57-2DB0-4692-A7D1-180EC3687D1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6E7D8683-8DD4-4EB0-A28F-0C556304BB2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9F68E5D5-7812-4FB2-ACF9-76180B038D80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "37B76B27-ADF0-4E88-B92C-304FB38A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "965F245A-879A-4DF0-ABC5-588E78C4CBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3DCB29F9-3875-4264-8117-5751FEDC3350",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "59FC250F-EF0B-4604-99A2-3EEB8B2DEB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAF1A6AE-0748-476B-ACE2-DA43A9443B7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F577A169-8354-4218-B3C6-04DA4BDF1E3C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by \"an XSS vulnerability in Firefox browsers.\""
},
{
"lang": "es",
"value": "Text_Filter/lib/Horde/Text/Filter/Xss.php en Horde Application Framework versiones anteriores a v3.3.6, Horde Groupware versiones anteriores a v1.2.5, y Horde Groupware Webmail Edition versiones anteriores a v1.2.5 no maneja adecuadamente data: URIs, permitiendo a atacantes remotos dirigir ataques de secuencias de comandos en sitios cruzados (XSS) mediante valores data:text/html para el atributo HREF de un elemento A en un mensaje HTML de correo electr\u00f3nico. NOTA: el proveedor mantiene que el incidente est\u00e1 causado por \"una vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el navegador Firefox\"."
}
],
"id": "CVE-2009-4363",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-12-21T16:30:00.483",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://bugs.horde.org/ticket/8715"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://bugs.horde.org/view.php?actionID=view_file\u0026type=patch\u0026file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch\u0026ticket=8715"
},
{
"source": "cve@mitre.org",
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1023365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://bugs.horde.org/ticket/8715"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://bugs.horde.org/view.php?actionID=view_file\u0026type=patch\u0026file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch\u0026ticket=8715"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559\u0026r2=1.515.2.589\u0026ty=h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2009/000529.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126100750018478\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://marc.info/?l=horde-announce\u0026m=126101076422179\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1023365"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-20 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.19:*:*:*:*:*:*:*",
"matchCriteriaId": "E509D906-4D06-4404-B420-523CE6313855",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.21:*:*:*:*:*:*:*",
"matchCriteriaId": "A7054862-3FC5-4F4D-8596-3E9CF7E9D793",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action."
},
{
"lang": "es",
"value": "En Horde Groupware 5.2.19 y 5.2.21, existe XSS mediante el campo Color en una acci\u00f3n Create Task List."
}
],
"id": "CVE-2017-16907",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-20T20:29:00.387",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00046.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00047.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00047.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-18 17:15
Modified
2024-11-21 05:38
Severity ?
Summary
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:gollem:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1D81DB46-9AC0-4484-B46C-29D8044163EF",
"versionEndExcluding": "3.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.22:*:*:*:webmail:*:*:*",
"matchCriteriaId": "13EBB673-7F7D-402E-9791-7974AC24B529",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim\u0027s webmail account by making them visit a malicious URL."
},
{
"lang": "es",
"value": "Gollem versiones anteriores a 3.0.13, tal como es usado en Horde Groupware Webmail Edition versi\u00f3n 5.2.22 y otros productos, est\u00e1 afectado por una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejada por medio del par\u00e1metro HTTP GET dir en la funcionalidad browser, afectando a una salida del breadcrumb. Un atacante puede obtener acceso a la cuenta de correo web de una v\u00edctima al hacer que visite una URL maliciosa."
}
],
"id": "CVE-2020-8034",
"lastModified": "2024-11-21T05:38:15.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T17:15:11.053",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/horde/gollem/commits/master"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001289.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/horde/gollem/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001289.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-24 17:15
Modified
2024-11-21 04:22
Severity ?
Summary
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "9B749CF0-3995-4FFF-BA34-35D7C889AD78",
"versionEndIncluding": "5.2.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f\u0026user_name= or admin/user.php?form=remove_f\u0026user_name= or admin/config/diff.php?app= URI."
},
{
"lang": "es",
"value": "Horde Groupware Webmail Edition hasta la versi\u00f3n 5.2.22 permite XSS a trav\u00e9s de admin / user.php? Form = update_f \u0026amp; user_name = o admin / user.php? Form = remove_f \u0026amp; user_name = o admin / config / diff.php? App = URI."
}
],
"id": "CVE-2019-12094",
"lastModified": "2024-11-21T04:22:11.197",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-24T17:15:12.320",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.horde.org/ticket/14926"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46903"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugs.horde.org/ticket/14926"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2019050199"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.mp4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://numanozdemir.com/respdisc/horde/horde.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46903"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-11 03:29
Modified
2025-04-20 01:37
Severity ?
Summary
The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.21:*:*:*:*:*:*:*",
"matchCriteriaId": "A7054862-3FC5-4F4D-8596-3E9CF7E9D793",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename."
},
{
"lang": "es",
"value": "El m\u00f3dulo File Manager (gollem) 3.0.11 en Horde Groupware 5.2.21 permite que atacantes remotos omitan la autenticaci\u00f3n de Horde para descargas de archivos mediante un par\u00e1metro fn manipulado que corresponde al nombre de archivo exacto."
}
],
"id": "CVE-2017-15235",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-11T03:29:00.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blogs.securiteam.com/index.php/archives/3454"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00050.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blogs.securiteam.com/index.php/archives/3454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00050.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-425"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-12-20 22:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A8B0DD3C-3E39-43B7-9274-A1C92DF05AA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.15:*:*:*:webmail:*:*:*",
"matchCriteriaId": "D33C6D9A-1368-46DC-93DA-F6411C47BF17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la API Horde Text Filter en Horde Groupware y Horde Groupware Webmail Edition en versiones anteriores a 5.2.16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de contenido data:text/html manipulado en un atributo de forma (1) acci\u00f3n o (2) xlink."
}
],
"id": "CVE-2016-5303",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-12-20T22:59:00.287",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319066126665\u0026w=2"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319089526753\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/94997"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319066126665\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "http://marc.info/?l=horde-announce\u0026m=147319089526753\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/94997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-29 17:29
Modified
2024-11-21 04:52
Severity ?
Summary
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it's never submitted by the forms, which default to securely using a random path.)
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 5.2.17 | |
| horde | groupware | 5.2.22 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.17:*:*:*:webmail:*:*:*",
"matchCriteriaId": "AF7F6996-3017-4D4B-84B4-5C80856D555D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.22:*:*:*:webmail:*:*:*",
"matchCriteriaId": "13EBB673-7F7D-402E-9791-7974AC24B529",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. The unsanitized POST parameter object[photo][img][file] is saved in the $upload[img][file] PHP variable, allowing an attacker to manipulate the $tmp_file passed to move_uploaded_file() to save the uploaded file. By setting the parameter to (for example) ../usr/share/horde/static/bd.php, one can write a PHP backdoor inside the web root. The static/ destination folder is a good candidate to drop the backdoor because it is always writable in Horde installations. (The unsanitized POST parameter went probably unnoticed because it\u0027s never submitted by the forms, which default to securely using a random path.)"
},
{
"lang": "es",
"value": "Fue encontrada una ejecuci\u00f3n remota de c\u00f3digo en Horde Groupware Webmail versi\u00f3n 5.2.22 y versi\u00f3n 5.2.17. El archivo Horde/Form/Type.php contiene una clase vulnerable que maneja la carga de im\u00e1genes en formularios. Cuando se llama al m\u00e9todo Horde_Form_Type_image en la funci\u00f3n onSubmit () en las cargas, hace un llamado a las funciones getImage() y _getUpload(), que utiliza una entrada de usuario no autorizada como un path para guardar la imagen. La falta de saneamiento del par\u00e1metro POST object[photo][img][file] se guarda en la variable PHP $upload[img][file], lo que permite a un atacante manipular el archivo $tmp_file pasado a move_uploaded_file() para guardar el archivo cargado. Al establecer el par\u00e1metro en (por ejemplo) ../usr/share/horde/static/bd.php, se puede escribir un backdoor PHP dentro de la web root. La carpeta de destino static/ es un buen candidato para abandonar la backdoor y siempre se puede escribir en las instalaciones Horde. (El par\u00e1metro POST no saneado probablemente pas\u00f3 desapercibido porque nunca fue enviado a los formularios, que de forma predeterminada utilizan una path aleatoria)."
}
],
"id": "CVE-2019-9858",
"lastModified": "2024-11-21T04:52:27.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-29T17:29:00.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Jun/31"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/152476/Horde-Form-Shell-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00007.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/bugtraq/2019/Jun/31"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://ssd-disclosure.com/?p=3814\u0026preview=true"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4468"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-03-31 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:imp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "313CF637-CA8F-4AC0-BE3D-9D7B4125D81E",
"versionEndIncluding": "4.3.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8D2A8C5B-6155-4B40-B8C8-B4944064E3DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D11E08A4-79D6-46FE-880F-66E9778C298E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55A3894F-2E3F-49CA-BEE5-759D603F6EAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FDDBDC41-7E6F-4C97-95BD-7DEB2D9FE837",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B52D447-8E56-4E04-9650-38D222DA8D2C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1C455353-0401-4975-89BC-C23D32A684F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C1D9D9E1-D8B7-4A56-BC2F-90BDC97322B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "59DE856E-98FF-4B49-BD7F-3E326FEB89EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6ED34889-9F98-46BC-9176-557484272C05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B7FBC61D-6A08-4DE8-A5E5-A3FC57E7759D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52AEEE6-2364-4CFB-9337-C5CCA54362E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AD137160-B80D-4C65-A9A9-CEE12107E3DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4E6C2AC8-C21A-4152-AAE6-915ACE65CB5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1956C8F0-EB91-4322-85C1-6BE15AA13703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A48DEBEB-0C2D-4F6A-AF63-04990D2FD5AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8E004FA4-0180-458A-8E8C-8167EF684ED8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1F0A1617-17D1-4C9F-A818-27321FD2FEAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D86CDC19-43C3-4ACC-94B4-388BCC8A2203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E9931A5B-CD0C-43A3-B32D-915FF4AF57D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC69F98-A3B4-4573-AFE4-2069218B3454",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AD4D0137-3515-4857-8E70-4600CD2D4278",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "A59756D1-3401-4B15-8B68-AA68B5BC3223",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:3.2.7:rc1:*:*:*:*:*:*",
"matchCriteriaId": "73FD31BC-651B-461F-B9F4-6CA8D5CCE583",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "184592A5-4108-40DB-8882-9D2468490DE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "28470602-E3F1-4F04-B012-F91AB95E7A68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6B584932-BFB2-4462-BC69-B9FCC059F59F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "702F7A33-CF9E-4966-B622-E4BD27B120AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FF1BB456-5462-4ACE-AECF-730B1C7BE2CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1D23A341-217D-4AF2-AC61-DFC9761AFE3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "C129AAEE-5388-4D81-AC1F-570EFF27EF89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "01CBF0CE-7133-4281-842C-3584AE13F36D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "373263B9-D967-4A9B-A062-FC841061E143",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "05FAFC4C-8E72-4EA5-930F-6F76CCD0138A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F91A26C3-D538-4935-90FF-DDD5E8733968",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1F9064E7-6081-4B23-BC03-21E6F483FA53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3E60BFE2-B3E4-416F-9697-58D912907E86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B4C5D659-E2C1-444D-8B5C-28970D830F1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "72D702C7-2789-4837-BC74-59570B13B4C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1A363643-3EF2-4F05-A934-0187AF846D51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4611791C-DA55-4F37-9030-1BEA17D0D817",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:imp:4.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2C5EC486-EF14-43DF-9152-69456E0FE271",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D82E23DB-0652-4BA9-9D9A-0107BEC1EA31",
"versionEndIncluding": "1.2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E55009DF-EDF1-4FAE-88E7-1CF33BFFEBC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "980162BB-48B3-4921-987A-6D18C62965A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "904EEFF0-CF66-43E6-BAA9-1A6FB4115CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C95E9B57-2DB0-4692-A7D1-180EC3687D1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6E7D8683-8DD4-4EB0-A28F-0C556304BB2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9F68E5D5-7812-4FB2-ACF9-76180B038D80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "37B76B27-ADF0-4E88-B92C-304FB38A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "965F245A-879A-4DF0-ABC5-588E78C4CBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3DCB29F9-3875-4264-8117-5751FEDC3350",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "59FC250F-EF0B-4604-99A2-3EEB8B2DEB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAF1A6AE-0748-476B-ACE2-DA43A9443B7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F577A169-8354-4218-B3C6-04DA4BDF1E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1FAFD66F-81F7-48F9-87F0-E394F55A1288",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA91C75-69CF-45AE-AF23-ADE9259B7C9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en fetchmailprefs.php in Horde IMP anterior a v4.3.8, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro fm_id en una acci\u00f3n fetchmail_prefs_save, relacionado con la configuraci\u00f3n de Fetchmail."
}
],
"id": "CVE-2010-3695",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-03-31T22:55:01.897",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584"
},
{
"source": "secalert@redhat.com",
"url": "http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde\u0026r1=1.699.2.424\u0026r2=1.699.2.430\u0026ty=h"
},
{
"source": "secalert@redhat.com",
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2010/000558.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41627"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43896"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/8170"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2011/dsa-2204"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/513992/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/43515"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0769"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=641069"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde\u0026r1=1.699.2.424\u0026r2=1.699.2.430\u0026ty=h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde\u0026r1=1.39.4.10\u0026r2=1.39.4.11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2010/000558.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43896"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/8170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2011/dsa-2204"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/513992/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/43515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0769"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=641069"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-28 22:15
Modified
2024-11-21 07:02
Severity ?
Summary
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.sonarsource.com/horde-webmail-rce-via-email/ | Exploit, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://www.horde.org/apps/webmail | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/horde-webmail-rce-via-email/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2024/10/msg00014.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.horde.org/apps/webmail | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "9B749CF0-3995-4FFF-BA34-35D7C889AD78",
"versionEndIncluding": "5.2.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects."
},
{
"lang": "es",
"value": "Horde Groupware Webmail Edition versiones hasta 5.2.22, permite un ataque de inyecci\u00f3n de reflexi\u00f3n mediante el cual un atacante puede instanciar una clase de controlador. Esto conlleva a una deserializaci\u00f3n arbitraria de objetos PHP"
}
],
"id": "CVE-2022-30287",
"lastModified": "2024-11-21T07:02:30.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-28T22:15:08.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/horde-webmail-rce-via-email/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.horde.org/apps/webmail"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/horde-webmail-rce-via-email/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00022.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.horde.org/apps/webmail"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-470"
},
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-04-13 16:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| fedoraproject | fedora | 22 | |
| fedoraproject | fedora | 23 | |
| horde | groupware | 5.2.11 | |
| horde | groupware | 5.2.11 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2E6D8F50-BCFC-4573-84D9-4452F971FFEB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.11:*:*:*:webmail:*:*:*",
"matchCriteriaId": "525D93F0-0B34-4696-9955-89082F78EB86",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la funci\u00f3n _renderVarenput_number en horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php en Horde Groupware en versiones anteriores a 5.2.12 y Horde Groupware Webmail Edition en versiones anteriores a 5.2.12 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores que implican campos de formulario num\u00e9ricos."
}
],
"id": "CVE-2015-8807",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-04-13T16:59:00.127",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2016/dsa-3496"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001148.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2016/001149.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3496"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2016/02/06/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-05-18 15:15
Modified
2024-11-21 05:38
Severity ?
Summary
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "B7D4337C-4335-4418-8A7D-22F042889933",
"versionEndExcluding": "5.2.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim\u0027s webmail account by making them visit a malicious URL."
},
{
"lang": "es",
"value": "La funcionalidad image view en Horde Groupware Webmail Edition versiones anteriores a 5.2.22, est\u00e1 afectada por una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenada por medio de una carga de imagen SVG que contiene una carga \u00fatil de JavaScript. Un atacante puede obtener acceso a una cuenta de correo web de una v\u00edctima al hacer que visite una URL maliciosa."
}
],
"id": "CVE-2020-8035",
"lastModified": "2024-11-21T05:38:15.937",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T15:15:11.113",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/horde/base/blob/c00f2fdb222055fb2ccb6d53b5b5240c0a7d2a75/docs/CHANGES"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00035.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001290.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/horde/base/blob/c00f2fdb222055fb2ccb6d53b5b5240c0a7d2a75/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00035.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001290.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-25 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "121E4B35-373A-4CB8-8F07-15DF6A561A57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.10:*:webmail:*:*:*:*:*",
"matchCriteriaId": "8B058CCB-D628-4919-A07B-E9699325289F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:horde:3.3.12:*:*:*:*:*:*:*",
"matchCriteriaId": "D2EA3564-82E2-4FD8-AA0C-F508254E389A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code."
},
{
"lang": "es",
"value": "Horde v3.3.12, Horde Groupware v1.2.10, y Horde Groupware Webmail Edition v1.2.10, como el distribuido por FTP entre noviembre del 2011 y febrero del 2012, contiene unas modificaciones introducidas externamente (troyano) en templates/javascript/open_calendar.js, lo que permite a atacantes remotos ejecutar c\u00f3digo PHP."
}
],
"id": "CVE-2012-0209",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-09-25T22:55:00.753",
"references": [
{
"source": "security@debian.org",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://dev.horde.org/h/jonah/stories/view.php?channel_id=1\u0026id=155"
},
{
"source": "security@debian.org",
"tags": [
"Exploit"
],
"url": "http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/"
},
{
"source": "security@debian.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2012/000751.html"
},
{
"source": "security@debian.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html"
},
{
"source": "security@debian.org",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790877"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://dev.horde.org/h/jonah/stories/view.php?channel_id=1\u0026id=155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2012/000751.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=790877"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-05 21:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | kronolith_h4 | * | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0.1 | |
| horde | kronolith_h4 | 3.0.2 | |
| horde | kronolith_h4 | 3.0.3 | |
| horde | kronolith_h4 | 3.0.4 | |
| horde | kronolith_h4 | 3.0.5 | |
| horde | kronolith_h4 | 3.0.6 | |
| horde | kronolith_h4 | 3.0.7 | |
| horde | kronolith_h4 | 3.0.8 | |
| horde | kronolith_h4 | 3.0.9 | |
| horde | kronolith_h4 | 3.0.10 | |
| horde | kronolith_h4 | 3.0.11 | |
| horde | kronolith_h4 | 3.0.12 | |
| horde | kronolith_h4 | 3.0.13 | |
| horde | kronolith_h4 | 3.0.14 | |
| horde | kronolith_h4 | 3.0.15 | |
| horde | groupware | * | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0.1 | |
| horde | groupware | 4.0.2 | |
| horde | groupware | 4.0.3 | |
| horde | groupware | 4.0.4 | |
| horde | groupware | 4.0.5 | |
| horde | groupware | 4.0.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:*:*:*:*:*:*:*:*",
"matchCriteriaId": "66A1075D-78B7-4890-BBD4-C45214F87713",
"versionEndIncluding": "3.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F75CC603-45D1-4FAB-8E4D-B5CF7F6FC99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C3C905F8-1A2F-46A4-AD0F-9118AC3CC16D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B60EDA48-5703-4A6D-906D-8BB833B3CC34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B887A9E9-C8D2-4622-A4E8-A39E5DCD0301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "BD8032AE-F6E0-498C-A473-B1215DD4FF25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1823C3C8-3C94-4991-9ADE-7D966093F2C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1E5535C3-442C-41C1-9EDD-BC5FA23C9E80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5F4111B8-1AC2-4C36-8366-1E70FDA8EF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEEE7D7-13BA-4F25-8E82-00F59CA52CD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4D2EAFA0-CC18-4B73-B72F-A467AEE62803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8007A3CC-5916-42A9-9892-969A3BC49E7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5581E8B0-344B-41DB-9892-F4F36324E743",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "7E82DBE7-5230-45A8-B6E7-2C73B1867134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "02646219-43E5-4912-B003-F6556582C399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "54D4B84A-713E-4918-AB12-603D300901FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "B804D928-5962-4C23-93FE-532E58891B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "ABC86F11-5EED-4BB3-A53C-D3749103EF1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "AB1D4DCE-A86A-4155-A249-2BB5B875A934",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "E54F5C8A-7E89-4C80-9228-BCB121D8DA6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "25BE11AE-6988-4754-9102-4704707F6182",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:webamail:*:*:*:*:*",
"matchCriteriaId": "78048C68-E5F6-4A8C-87FB-0D612D0E6595",
"versionEndIncluding": "4.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:*:webamail:*:*:*:*:*",
"matchCriteriaId": "F505E80A-B91C-401C-9B77-F34B00ECA434",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc1:webamail:*:*:*:*:*",
"matchCriteriaId": "A9129D4A-F365-4630-976A-DBFBBEA531FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc2:webamail:*:*:*:*:*",
"matchCriteriaId": "C910D464-66B3-4593-A7D8-3FD3EADB9AFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.1:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A6A67FDD-C9CE-43E4-ADD9-DB5699BEF61C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.2:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A1158FCA-2AAB-4EC4-9B34-F1B44DDA4FA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.3:*:webamail:*:*:*:*:*",
"matchCriteriaId": "2A0A5DB9-3731-466D-8D0F-7BE71A34184B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.4:*:webamail:*:*:*:*:*",
"matchCriteriaId": "5D07339E-54B9-4513-82EB-0FB53AD5B82B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.5:*:webamail:*:*:*:*:*",
"matchCriteriaId": "717CB664-818F-4583-83FF-47B167993569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.6:*:webamail:*:*:*:*:*",
"matchCriteriaId": "185839EF-1F07-4C2C-B710-FD607EAD0A71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en la aplicaci\u00f3n de calendario de Horde Kronolith H4 anterior a 3.0.17, utilizado en Horde Groupware Webmail Edition anterior a 4.0.8, permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de la visualizaci\u00f3n de (1) tareas o (2) b\u00fasqueda."
}
],
"id": "CVE-2012-5566",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-04-05T21:55:06.253",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://bugs.horde.org/ticket/11189"
},
{
"source": "secalert@redhat.com",
"url": "http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2012/000773.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51469"
},
{
"source": "secalert@redhat.com",
"url": "http://securitytracker.com/id?1027106"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/82371"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/82382"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/56541"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.horde.org/ticket/11189"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2012/000773.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1027106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/82371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/82382"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/56541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-04-05 21:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1) month, (2) monthlist, or (3) prevmonthlist fields, related to portal blocks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | * | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0 | |
| horde | groupware | 4.0.1 | |
| horde | groupware | 4.0.2 | |
| horde | groupware | 4.0.3 | |
| horde | groupware | 4.0.4 | |
| horde | groupware | 4.0.5 | |
| horde | groupware | 4.0.6 | |
| horde | groupware | 4.0.7 | |
| horde | kronolith_h4 | * | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0 | |
| horde | kronolith_h4 | 3.0.1 | |
| horde | kronolith_h4 | 3.0.2 | |
| horde | kronolith_h4 | 3.0.3 | |
| horde | kronolith_h4 | 3.0.4 | |
| horde | kronolith_h4 | 3.0.5 | |
| horde | kronolith_h4 | 3.0.6 | |
| horde | kronolith_h4 | 3.0.7 | |
| horde | kronolith_h4 | 3.0.8 | |
| horde | kronolith_h4 | 3.0.9 | |
| horde | kronolith_h4 | 3.0.10 | |
| horde | kronolith_h4 | 3.0.11 | |
| horde | kronolith_h4 | 3.0.12 | |
| horde | kronolith_h4 | 3.0.13 | |
| horde | kronolith_h4 | 3.0.14 | |
| horde | kronolith_h4 | 3.0.15 | |
| horde | kronolith_h4 | 3.0.16 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:webamail:*:*:*:*:*",
"matchCriteriaId": "E888C8C2-27C5-4BD0-9EEE-750DF5DE6488",
"versionEndIncluding": "4.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:*:webamail:*:*:*:*:*",
"matchCriteriaId": "F505E80A-B91C-401C-9B77-F34B00ECA434",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc1:webamail:*:*:*:*:*",
"matchCriteriaId": "A9129D4A-F365-4630-976A-DBFBBEA531FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0:rc2:webamail:*:*:*:*:*",
"matchCriteriaId": "C910D464-66B3-4593-A7D8-3FD3EADB9AFE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.1:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A6A67FDD-C9CE-43E4-ADD9-DB5699BEF61C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.2:*:webamail:*:*:*:*:*",
"matchCriteriaId": "A1158FCA-2AAB-4EC4-9B34-F1B44DDA4FA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.3:*:webamail:*:*:*:*:*",
"matchCriteriaId": "2A0A5DB9-3731-466D-8D0F-7BE71A34184B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.4:*:webamail:*:*:*:*:*",
"matchCriteriaId": "5D07339E-54B9-4513-82EB-0FB53AD5B82B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.5:*:webamail:*:*:*:*:*",
"matchCriteriaId": "717CB664-818F-4583-83FF-47B167993569",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.6:*:webamail:*:*:*:*:*",
"matchCriteriaId": "185839EF-1F07-4C2C-B710-FD607EAD0A71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:4.0.7:*:webamail:*:*:*:*:*",
"matchCriteriaId": "29D96163-C022-4DBD-8B94-746665B99A73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF9C1B7C-8DE5-4925-9651-9204FB96667B",
"versionEndIncluding": "3.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F75CC603-45D1-4FAB-8E4D-B5CF7F6FC99A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C3C905F8-1A2F-46A4-AD0F-9118AC3CC16D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "B60EDA48-5703-4A6D-906D-8BB833B3CC34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B887A9E9-C8D2-4622-A4E8-A39E5DCD0301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "BD8032AE-F6E0-498C-A473-B1215DD4FF25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1823C3C8-3C94-4991-9ADE-7D966093F2C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1E5535C3-442C-41C1-9EDD-BC5FA23C9E80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5F4111B8-1AC2-4C36-8366-1E70FDA8EF49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "5CEEE7D7-13BA-4F25-8E82-00F59CA52CD4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4D2EAFA0-CC18-4B73-B72F-A467AEE62803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8007A3CC-5916-42A9-9892-969A3BC49E7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5581E8B0-344B-41DB-9892-F4F36324E743",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "7E82DBE7-5230-45A8-B6E7-2C73B1867134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "02646219-43E5-4912-B003-F6556582C399",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "54D4B84A-713E-4918-AB12-603D300901FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "B804D928-5962-4C23-93FE-532E58891B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "ABC86F11-5EED-4BB3-A53C-D3749103EF1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "AB1D4DCE-A86A-4155-A249-2BB5B875A934",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "E54F5C8A-7E89-4C80-9228-BCB121D8DA6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "25BE11AE-6988-4754-9102-4704707F6182",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith_h4:3.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "8BD48168-FCC7-49C4-AC41-3E55DCF62702",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1) month, (2) monthlist, or (3) prevmonthlist fields, related to portal blocks."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en la aplicaci\u00f3n de calendario de Horde Kronolith H4 anterior a 3.0.18, utilizado en Horde Groupware Webmail Edition anterior a 4.0.9, permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de par\u00e1metros de localizaci\u00f3n de evento manipulados en los campos (1) month, (2) monthlist o (3) prevmonthlist, relacionado con bloques de portales."
}
],
"id": "CVE-2012-5567",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-04-05T21:55:06.300",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.horde.org/archives/announce/2012/000836.html"
},
{
"source": "secalert@redhat.com",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51233"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51469"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/87345"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/56541"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=879684"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.horde.org/archives/announce/2012/000836.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51233"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51469"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/23/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/87345"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/56541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=879684"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-07-14 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*",
"matchCriteriaId": "457A127F-2D18-4FAC-A51F-6B10BBC59C40",
"versionEndIncluding": "5.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.0:*:*:*:webmail:*:*:*",
"matchCriteriaId": "74C2C13C-0014-4E45-B459-50B7005C828D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.0:rc1:*:*:webmail:*:*:*",
"matchCriteriaId": "3C63CC65-6B19-4B8D-A4DC-3B0C3055E8A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.1:*:*:*:webmail:*:*:*",
"matchCriteriaId": "A09D1D89-A623-442E-9261-F58031BB517D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "6C36F237-9CBF-4E9E-A1DF-ABCB0187E725",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.3:*:*:*:webmail:*:*:*",
"matchCriteriaId": "9103D5DE-E24A-476F-AEE9-68E3736E1C7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.4:*:*:*:webmail:*:*:*",
"matchCriteriaId": "2F5106E5-050E-443C-9A67-0210AA01FE35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.0.5:*:*:*:webmail:*:*:*",
"matchCriteriaId": "0ABE42CD-F4E3-4255-985D-6AC712231134",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.0:*:*:*:webmail:*:*:*",
"matchCriteriaId": "693E0F58-A378-4A85-94B1-66709A557623",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.0:rc1:*:*:webmail:*:*:*",
"matchCriteriaId": "FB8CD370-1B28-4E95-A357-C0476458A0F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.1:*:*:*:webmail:*:*:*",
"matchCriteriaId": "D3203790-5230-4F8F-AE5E-F2D48B0B1767",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.2:*:*:*:webmail:*:*:*",
"matchCriteriaId": "36EBEA90-C1D6-4AFE-B04D-F085986F8B92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:5.1.3:*:*:*:webmail:*:*:*",
"matchCriteriaId": "3E2F5341-D61A-4FDB-99DE-4B65B6F333C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D59AF1C6-0EA7-48DC-BD3E-5611DF294DFE",
"versionEndIncluding": "6.1.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3DB663F3-317F-4E02-8D6A-15185000BF41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "F86A6088-11EA-414A-96FD-214295554AF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "590B012A-3F3F-45AD-ACBC-FEA6FC6EB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "6B30DDA2-DC2B-4FBD-B0AE-9622A5C6FA89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "39293A85-A727-40F1-8C22-6F6FFC850ABD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "224409A7-9D51-4D7C-B0F1-FA55F2C247FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "9AFE6FAC-13F9-4DF7-809E-02D5A88E1993",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3EEAAFA4-6E8F-433F-818E-3A39F794885F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FEB9545C-58ED-4A7D-A740-C7AE458751DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "8CF5F1D9-D61A-4935-81A6-131C814F04F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "12D4458F-4155-465D-AC29-51C163528D4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "10E16364-A584-4CD5-A408-B78D738A4772",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7A5769FE-7950-487D-B648-6EE2BB3D5777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "754CB9EA-E5D6-431C-93FD-0536CD5DAC26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "C4539C8B-5A8C-4C95-9073-2FA7DE4BD367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "CCE65FD3-06FB-4D8B-B84A-260907B1C950",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C533F92C-BB57-4BB3-89DB-CD67B9738444",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BCFD6FBF-164F-4A0D-A121-4FC365FC0393",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "EBB97A81-2BD4-4830-B13E-ADD56B2E6178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "88DAB3CC-1C43-4CA2-B63A-2FE962B2638A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C6C4A3CF-71A4-401B-8DDB-D24202781F49",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8340BBB6-EF39-449D-80F3-BAF6F107D429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:internet_mail_program:6.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1768F80C-0098-44A1-B14D-85865FD0F013",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en Horde Internet Mail Program (IMP) anterior a 6.1.8, utilizado en Horde Groupware Webmail Edition anterior a 5.1.5, permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un indicador no especificado en la visualizaci\u00f3n b\u00e1sica de (1) buzones o (2) mensajes."
}
],
"id": "CVE-2014-4945",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-07-14T14:55:07.527",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59770"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59772"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2014/001019.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2014/001025.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59770"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59772"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-01-30 17:28
Modified
2025-04-09 00:30
Severity ?
Summary
Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.0_rc2:*:*:*:*:*:*:*",
"matchCriteriaId": "FFEBF420-8E1F-447A-8366-6D36036AF3E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0_rc3:*:*:*:*:*:*:*",
"matchCriteriaId": "DC28C5B0-D148-4950-B592-77E0F184AC8B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en el componente de calendario en Horde Groupware Webmail Edition versiones anteriores a 1.0, y Groupware before 1.0, permite a atacantes remotos incluir ficheros concretos mediante vectores desconocidos.\r\nNOTA: algunos de estos detalles se han obtenido de informaci\u00f3n de terceros."
}
],
"id": "CVE-2007-0579",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-01-30T17:28:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2007/000308.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2007/000309.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/33083"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/22273"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/0368"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31849"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2007/000308.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.horde.org/archives/announce/2007/000309.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/33083"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/22273"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/0368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31849"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-02-19 01:00
Modified
2025-04-09 00:30
Severity ?
Summary
lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| debian | debian_linux | 4.0 | |
| horde | groupware | 1.0.3 | |
| horde | groupware_webmail_edition | 1.0.4 | |
| horde | turba_contact_manager | 2.1.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0F92AB32-E7DE-43F4-B877-1F41FA162EC7",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:alpha:*:*:*:*:*",
"matchCriteriaId": "F5114DA3-FBB9-47C4-857B-3212404DAD4E",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:amd64:*:*:*:*:*",
"matchCriteriaId": "4D5F5A52-285E-4E7E-83B8-508079DBCEAE",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:arm:*:*:*:*:*",
"matchCriteriaId": "674BE2D9-009B-46C5-A071-CB10368B8D48",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:hppa:*:*:*:*:*",
"matchCriteriaId": "703486E5-906B-4BDB-A046-28D4D73E3F03",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:ia-32:*:*:*:*:*",
"matchCriteriaId": "ABB5AC0D-2358-4C8E-99B5-2CE0A678F549",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:ia-64:*:*:*:*:*",
"matchCriteriaId": "38B37184-BA88-44F1-AC9E-8B60C2419111",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:m68k:*:*:*:*:*",
"matchCriteriaId": "0D8C9247-3E18-4DD9-AF5B-B2996C76443F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:mips:*:*:*:*:*",
"matchCriteriaId": "0EEA2CDD-7FCD-461E-90FC-CDB3C3992A32",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:mipsel:*:*:*:*:*",
"matchCriteriaId": "D7B877A8-5318-402E-8AE1-753E7419060F",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:powerpc:*:*:*:*:*",
"matchCriteriaId": "A3938420-087D-4D92-A2F8-EAE54D9837EC",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:s-390:*:*:*:*:*",
"matchCriteriaId": "EFB8DE9F-2130-49E9-85EE-6793ED9FBEED",
"vulnerable": false
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:4.0:*:sparc:*:*:*:*:*",
"matchCriteriaId": "10F42CF8-FB98-4AFC-96C5-FD7D442B0FA3",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "989D5040-13B3-4D76-A516-81CAB112FE44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:turba_contact_manager:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "6476A5E9-779F-4CBC-9C49-42AADD427B91",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book."
},
{
"lang": "es",
"value": "lib/Driver/sql.php en Turba 2 (turba2) Contact Manager H3 2.1.x antes de 2.1.7 y 2.2.x antes de 2.2-RC3, como se usa en productos como Horde Groupware antes de 1.0.4 y Horde Groupware Webmail Edition antes de 1.0.5, no comprueba correctamente los privilegios de acceso, lo que permite a usuarios autentificados remotamente modificar datos de direcci\u00f3n a trav\u00e9s de un par\u00e1metro object_id modificado a edit.php, como se demostr\u00f3 modificando una entrada personal en la libreta de direcciones cuando hay un acceso de escritura a una libreta de direcciones compartida."
}
],
"id": "CVE-2008-0807",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-02-19T01:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000378.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000379.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000380.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000381.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28982"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29071"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29184"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29185"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/29186"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2008/dsa-1507"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27844"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id?1019433"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/0593/references"
},
{
"source": "cve@mitre.org",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=432027"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000378.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000379.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000380.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2008/000381.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28982"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29071"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29184"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29185"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/29186"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2008/dsa-1507"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27844"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id?1019433"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/0593/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=432027"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-04-04 12:27
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | * | |
| horde | groupware | 1.0 | |
| horde | groupware | 1.0 | |
| horde | groupware | 1.0 | |
| horde | groupware | 1.0.1 | |
| horde | groupware | 1.0.2 | |
| horde | groupware | 1.0.3 | |
| horde | groupware | 1.0.4 | |
| horde | groupware | 1.0.5 | |
| horde | groupware | 1.0.6 | |
| horde | groupware | 1.0.7 | |
| horde | groupware | 1.0.8 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1 | |
| horde | groupware | 1.1.1 | |
| horde | groupware | 1.1.2 | |
| horde | groupware | 1.1.3 | |
| horde | groupware | 1.1.4 | |
| horde | groupware | 1.1.5 | |
| horde | groupware | 1.1.6 | |
| horde | groupware | 1.2 | |
| horde | groupware | 1.2 | |
| horde | groupware | 1.2.1 | |
| horde | groupware | 1.2.2 | |
| horde | groupware | 1.2.3 | |
| horde | groupware | 1.2.3 | |
| horde | groupware | 1.2.4 | |
| horde | groupware | 1.2.5 | |
| horde | dynamic_imp | * | |
| horde | dynamic_imp | 1.0 | |
| horde | dynamic_imp | 1.0 | |
| horde | dynamic_imp | 1.0 | |
| horde | dynamic_imp | 1.0 | |
| horde | dynamic_imp | 1.0 | |
| horde | dynamic_imp | 1.1 | |
| horde | dynamic_imp | 1.1 | |
| horde | dynamic_imp | 1.1 | |
| horde | dynamic_imp | 1.1.1 | |
| horde | dynamic_imp | 1.1.2 | |
| horde | dynamic_imp | 1.1.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D82E23DB-0652-4BA9-9D9A-0107BEC1EA31",
"versionEndIncluding": "1.2.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "E55009DF-EDF1-4FAE-88E7-1CF33BFFEBC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "980162BB-48B3-4921-987A-6D18C62965A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DC241F01-B9DF-4D0E-BA3C-3523AEEB6BCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B574D428-0A3A-47CA-A926-5C936F83919A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D59C23FB-E223-4EED-8F69-3CC1EE7DF148",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "904EEFF0-CF66-43E6-BAA9-1A6FB4115CB3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B3AB0176-9CB3-4D49-B644-2C413C9B6E13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "C95E9B57-2DB0-4692-A7D1-180EC3687D1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6E7D8683-8DD4-4EB0-A28F-0C556304BB2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "9F68E5D5-7812-4FB2-ACF9-76180B038D80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C6BBB036-494E-41D4-BD04-40906FAB5C60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "37B76B27-ADF0-4E88-B92C-304FB38A356E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "965F245A-879A-4DF0-ABC5-588E78C4CBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3DCB29F9-3875-4264-8117-5751FEDC3350",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "59FC250F-EF0B-4604-99A2-3EEB8B2DEB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C10E681-5D2B-4EA4-B8E1-C0CA4FC9D3FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "19CC5154-42C5-4877-9147-5DFD61BD5CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "62AAEBBF-1696-4EAC-8837-68A03C2D2F5F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F626876D-99FC-4DE0-BEE0-35874C4E25F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "A849DD3E-882A-4621-BB6C-315A76677BB9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AAF1A6AE-0748-476B-ACE2-DA43A9443B7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AB711B5E-9011-4BA2-917A-DB8545705E23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "50DC1068-F426-497F-A5A0-E032BC3816F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C5A176-8C72-40EA-85AC-F11B40FD53A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB4C3487-4556-47E5-8BF3-1DEDF0E9AFEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78F24E43-491B-4AD1-B905-66F7FC6DA98D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "F577A169-8354-4218-B3C6-04DA4BDF1E3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1FAFD66F-81F7-48F9-87F0-E394F55A1288",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2BA91C75-69CF-45AE-AF23-ADE9259B7C9C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6EAD2A3-6224-4489-AC0F-153EFAF50695",
"versionEndIncluding": "1.1.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AC88E67E-01FD-4B3A-A186-C0D5A8F3111D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "CBC6D9CA-DDD0-4D79-845B-95AEF907BC8C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "72796BEA-2929-4730-BD97-52686ACA0A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "D01633AC-7627-4DDA-A2FA-942D2F962567",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "6B517AA9-55B2-48E5-A1C0-83AAA1A38435",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "349FE027-660E-42A8-9382-1049F827AE3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "718B8347-55A5-4909-87DD-071F9D4606A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "741ECFFC-A7A5-4BF2-B9E4-C5E06F3AF0DD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "155EE1D9-0EA9-4EFC-953D-5BD24FA596CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0CA83502-F507-4914-96A2-CFB7FDF29568",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:dynamic_imp:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "939C5E5C-BA4D-4F65-BA9C-EEE70D18016C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names."
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Horde Dynamic IMP (DIMP) antes de v1.1.5, y Horde Groupware Webmail Edition antes de v1.2.7, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de vectores relacionados con nombres de buz\u00f3n mostrar."
}
],
"id": "CVE-2010-3693",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2011-04-04T12:27:36.250",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://bugs.horde.org/ticket/9240"
},
{
"source": "secalert@redhat.com",
"url": "http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde\u0026r1=1.69.2.82\u0026r2=1.69.2.87\u0026ty=h"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git\u0026r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb\u0026r2=48913cf3af81875d6e5c6f32e030c5913f22f25d"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2010/000561.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41639"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/68267"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2522"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62080"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://bugs.horde.org/ticket/9240"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde\u0026r1=1.69.2.82\u0026r2=1.69.2.87\u0026ty=h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde\u0026r1=1.35.2.11\u0026r2=1.35.2.13\u0026ty=h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git\u0026r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb\u0026r2=48913cf3af81875d6e5c6f32e030c5913f22f25d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2010/000561.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://lists.horde.org/archives/announce/2010/000568.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/09/30/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://openwall.com/lists/oss-security/2010/10/01/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/41639"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/68267"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2010/2522"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62080"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-20 20:29
Modified
2025-04-20 01:37
Severity ?
Summary
In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 | Patch, Vendor Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.19:*:*:*:*:*:*:*",
"matchCriteriaId": "E509D906-4D06-4404-B420-523CE6313855",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed."
},
{
"lang": "es",
"value": "En Horde Groupware 5.2.19, existe XSS mediante el campo Name durante la creaci\u00f3n de un nuevo recurso. Esto puede aprovecharse para ejecutar c\u00f3digo de forma remota tras comprometer una cuenta de administrador, ya que se puede omitir el mecanismo de protecci\u00f3n CSRF relacionado con CVE-2015-7984."
}
],
"id": "CVE-2017-16908",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-20T20:29:00.480",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-03-26 23:19
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "71C2653B-7F0B-4628-9E77-44744BC05463",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages"
},
{
"lang": "es",
"value": "** DISPUTADA ** M\u00faltiples vulnerabilidades de XSS en Horde Groupware Webmail 1.0 permite a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s de vectores no especificados en (1) imp/search.php y (2) ingo/rule.php. NOTA: este problema ha sido disputado por el proveedor, anotando que el problema de search.php fue resuelto en CVE-2006-4255, y atacantes solo pueden utilizar rule.php para inyectar XSS en sus propias p\u00e1ginas."
}
],
"id": "CVE-2007-1679",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2007-03-26T23:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/2487"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/463819/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/463911/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/23136"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33228"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/2487"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/463819/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/463911/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/23136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33228"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-17 15:15
Modified
2024-11-21 05:38
Severity ?
Summary
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| horde | groupware | 5.2.22 | |
| fedoraproject | fedora | 30 | |
| fedoraproject | fedora | 31 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:5.2.22:*:*:*:webmail:*:*:*",
"matchCriteriaId": "13EBB673-7F7D-402E-9791-7974AC24B529",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
"matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution."
},
{
"lang": "es",
"value": "Horde Groupware Webmail Edition versi\u00f3n 5.2.22, permite una inyecci\u00f3n de c\u00f3digo PHP arbitrario, por medio de datos CSV, conllevando a una ejecuci\u00f3n de c\u00f3digo remota."
}
],
"id": "CVE-2020-8518",
"lastModified": "2024-11-21T05:38:59.183",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-17T15:15:11.853",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/"
},
{
"source": "cve@mitre.org",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001285.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/156872/Horde-5.2.22-CSV-Import-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00008.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PRPIFQDGYPQ3F2TF2ETPIL7IYNSVVZQ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKTNYDBDVJNMVC7QPXQI7CMPLX3USZ2T/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.horde.org/archives/announce/2020/001285.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-06-19 20:41
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12221711-3AF8-477A-B61B-E65AD45C06B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:groupware_webmail_edition:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED443641-1A9E-49FA-8478-BEEC8C692F91",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:horde:kronolith:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0BF59A10-210E-4590-8334-3A7274705E5D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencia de comandos en sitios cruzados (XSS) en Horde Groupware, Groupware Webmail Edition y Kronolith, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro timestamp en (1) week.php, (2) workweek.php y (3) day.php; y (4) par\u00e1metro horde en PATH_INFO de la URI por defeceto. NOTA: el origen de esta informaci\u00f3n es desconocido; los detalles se han obtenido \u00fanicamente de informaci\u00f3n de terceros."
}
],
"id": "CVE-2008-2783",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-06-19T20:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/29365"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42640"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/29365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42640"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}