CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-16906
https://notcve.org/view.php?id=CVE-2017-16906
20 Nov 2017 — In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action. En Horde Groupware 5.2.19-5.2.22, existe XSS mediante el campo URL en una acción "Calendar -> New Event". • http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2017-16907
https://notcve.org/view.php?id=CVE-2017-16907
20 Nov 2017 — In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action. En Horde Groupware 5.2.19 y 5.2.21, existe XSS mediante el campo Color en una acción Create Task List. • http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16908
https://notcve.org/view.php?id=CVE-2017-16908
20 Nov 2017 — In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed. En Horde Groupware 5.2.19, existe XSS mediante el campo Name durante la creación de un nuevo recurso. Esto puede aprovecharse para ejecutar código de forma remota tras comprometer una cuenta de administrador, ya que se puede omitir el mecanismo de pro... • http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 16%CPEs: 1EXPL: 2CVE-2017-15235 – Horde Groupware 5.2.21 - Unauthorized File Download
https://notcve.org/view.php?id=CVE-2017-15235
11 Oct 2017 — The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename. El módulo File Manager (gollem) 3.0.11 en Horde Groupware 5.2.21 permite que atacantes remotos omitan la autenticación de Horde para descargas de archivos mediante un parámetro fn manipulado que corresponde al nombre de archivo exacto. • https://www.exploit-db.com/exploits/44059 • CWE-425: Direct Request ('Forced Browsing') •
CVSS: 9.0EPSS: 16%CPEs: 1EXPL: 0CVE-2017-7413
https://notcve.org/view.php?id=CVE-2017-7413
04 Apr 2017 — In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address. En Horde_Crypt en versiones anteriores a 2.7.6, como se utiliza en Horde Groupware Webmail Edition hasta la versión 5.2.17, OS Comand Inyection puede ocurrir si el atacante es un usuario autenticado Horde We... • https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 1%CPEs: 23EXPL: 0CVE-2017-7414
https://notcve.org/view.php?id=CVE-2017-7414
04 Apr 2017 — In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed email (that is maliciously crafted) to the Horde user, who then must either view or preview it. En Horde_Crypt en versiones anteriores a 2.7.6, como se utiliza ... • https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-5303
https://notcve.org/view.php?id=CVE-2016-5303
20 Dec 2016 — Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute. Vulnerabilidad de XSS en la API Horde Text Filter en Horde Groupware y Horde Groupware Webmail Edition en versiones anteriores a 5.2.16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de... • http://marc.info/?l=horde-announce&m=147319066126665&w=2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2015-8807 – Debian Security Advisory 3496-1
https://notcve.org/view.php?id=CVE-2015-8807
29 Feb 2016 — Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields. Vulnerabilidad de XSS en la función _renderVarenput_number en horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php en Horde Groupware en versiones anteriores a 5.2.12 y Hord... • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2016-2228 – Debian Security Advisory 3497-1
https://notcve.org/view.php?id=CVE-2016-2228
29 Feb 2016 — Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php. Vulnerabilidad de XSS en horde/templates/topbar/_menubar.html.php en Horde Groupware en versiones anteriores a 5.2.12 y Horde Groupware Webmail Edition en versiones anteriores a 5.2.12 permi... • http://bugs.horde.org/ticket/14213 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 4EXPL: 3CVE-2015-7984 – Horde Groupware 5.2.10 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-7984
19 Nov 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php. Múltiples vulnerabilidades de CSRF en Horde en versiones anteri... • https://packetstorm.news/files/id/134431 • CWE-352: Cross-Site Request Forgery (CSRF) •