CVSS: 4.3EPSS: 0%CPEs: 35EXPL: 0CVE-2009-3237
https://notcve.org/view.php?id=CVE-2009-3237
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME "text parts" that are not properly handled in the MIME viewer library (config/mime_drivers.php). Múltiple vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Horde Application Framework desde v3.2 anteriores a v3.2.5 y desde v3.3 anteriores a v3.3.5; Groupware desde v1.1 anteriores a v1.1.6 y 1.2 anteriores a v1.2.4; y Groupware Webmail Edition desde v1.1 anteriores a v1.1.6 y desde v1.2 anteriores a v1.2.4; permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través de (1) preferencias numéricas manipuladas que no han sido adecuadamente gestionadas en el sistema de preferencias (services/prefs.php), como quedo demostrado por el parámetro sidebar_width o (2) "fragmentos de texto" MIME desconocidos manipulados que no son gestionados adecuadamente por la librería de visor de MIME (config/mime_drivers.php). • http://bugs.horde.org/ticket/?id=8311 http://bugs.horde.org/ticket/?id=8399 http://marc.info/?l=horde-announce&m=125291625030436&w=2 http://marc.info/?l=horde-announce&m=125292088004087&w=2 http://marc.info/? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2009-0931
https://notcve.org/view.php?id=CVE-2009-0931
Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la secuencia de comandos de búsqueda de nube de etiquetas (horde/services/portal/cloud_search.php) en Horde anterior a v3.2.4 y v3.3.3, y Horde Groupware anterior a v1.1.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores sin especificar. • http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5 http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.413.2.5 http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.503 http://lists.horde.org/archives/announce/2009/000482.html http://lists.horde.org/archives/announce/2009/000483.html http://lists.horde.org/archives/announce/2009/000486.html http://secunia.com/advisories/33695 http://www.securityfocus.com/bid/33491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 37EXPL: 1CVE-2007-1473 – Horde Framework 3.1.3 - 'login.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-1473
Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contains a language selection box, allows remote attackers to inject arbitrary web script or HTML via the new_lang parameter to login.php. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en framework/NLS/NLS.php en Horde Framework anterior a 3.1.4 RC1, cuando la página de login contiene una caja de elección de idioma, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro new_lang en login.php. • https://www.exploit-db.com/exploits/29745 http://lists.horde.org/archives/announce/2007/000315.html http://secunia.com/advisories/24528 http://secunia.com/advisories/24995 http://secunia.com/advisories/27565 http://securityreason.com/securityalert/2427 http://securitytracker.com/id?1017775 http://www.debian.org/security/2007/dsa-1406 http://www.novell.com/linux/security/advisories/2007_007_suse.html http://www.osvdb.org/33084 http://www.securityfocus.com/archive/1/462915/ •
CVSS: 6.8EPSS: 3%CPEs: 11EXPL: 0CVE-2006-2195
https://notcve.org/view.php?id=CVE-2006-2195
Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) templates/problem/problem.inc and (2) test.php. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en horde 3 (horde3) anterior a v3.1.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) templates/problem/problem.inc y (2) test.php. • http://bugs.gentoo.org/show_bug.cgi?id=136830 http://cvs.horde.org/diff.php?f=horde%2Ftest.php&r1=1.145&r2=1.146 http://cvs.horde.org/diff.php?r1=2.25&r2=2.26&f=horde%2Ftemplates%2Fproblem%2Fproblem.inc http://overlays.gentoo.org/dev/chtekk/browser/horde/www-apps/horde/files/horde-3.1.1-xss.diff?rev=4&format=txt http://secunia.com/advisories/20661 http://secunia.com/advisories/20672 http://secunia.com/advisories/20750 http://secunia.com/advisories/20849 htt •
CVSS: 5.0EPSS: 10%CPEs: 33EXPL: 3CVE-2006-1260 – Horde Web-Mail 3.x - 'go.php' Remote File Disclosure
https://notcve.org/view.php?id=CVE-2006-1260
Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check. • https://www.exploit-db.com/exploits/4850 http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/043657.html http://secunia.com/advisories/19246 http://secunia.com/advisories/19528 http://secunia.com/advisories/19619 http://secunia.com/advisories/19692 http://secunia.com/advisories/19897 http://securityreason.com/securityalert/590 http://securitytracker.com/id?1015771 http://www.debian.org/security/2006/dsa-1033 http://www.debian.org/security/2006/dsa-1034 http:/&#x •