CVE-2020-7804
https://notcve.org/view.php?id=CVE-2020-7804
ActiveX Control(HShell.dll) in Handy Groupware 1.7.3.1 for Windows 7, 8, and 10 allows an attacker to execute arbitrary command via the ShellExec method. ActiveX Control(HShell.dll) en Handy Groupware versión 1.7.3.1 para Windows 7, 8 y 10, permite a un atacante ejecutar un comando arbitrario por medio del método ShellExec. • http://www.handysoft.co.kr/product/product.html?seq=12 https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35368 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2019-12094 – Horde Webmail 5.2.22 XSS / CSRF / SQL Injection / Code Execution
https://notcve.org/view.php?id=CVE-2019-12094
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI. Horde Groupware Webmail Edition hasta la versión 5.2.22 permite XSS a través de admin / user.php? • https://bugs.horde.org/ticket/14926 https://cxsecurity.com/issue/WLB-2019050199 https://numanozdemir.com/respdisc/horde/horde.mp4 https://numanozdemir.com/respdisc/horde/horde.txt https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html https://www.exploit-db.com/exploits/46903 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-12095 – Horde Webmail 5.2.22 XSS / CSRF / SQL Injection / Code Execution
https://notcve.org/view.php?id=CVE-2019-12095
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload. Horde Trean, como se utiliza en Horde Groupware Webmail Edition a través de 5.2.22 y otros productos, permite CSRF, como lo demuestra el parámetro treanBookmarkTags al trean / URI en un servidor de correo web. NOTA: treanBookmarkTags podría, por ejemplo, ser una carga útil XSS almacenada. Horde Webmail version 5.2.22 suffers from code execution, cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities. • https://bugs.horde.org/ticket/14926 https://cxsecurity.com/issue/WLB-2019050199 https://exchange.xforce.ibmcloud.com/vulnerabilities/161333 https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html https://numanozdemir.com/respdisc/horde/horde.mp4 https://numanozdemir.com/respdisc/horde/horde.txt https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html https://www.exploit-db.com/exploits/46903 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2017-7413
https://notcve.org/view.php?id=CVE-2017-7413
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address. En Horde_Crypt en versiones anteriores a 2.7.6, como se utiliza en Horde Groupware Webmail Edition hasta la versión 5.2.17, OS Comand Inyection puede ocurrir si el atacante es un usuario autenticado Horde Webmail, tiene características PGP habilitado en sus preferencias,e intenta cifrar un correo electrónico a una maliciosa dirección de correo electrónico manipulada. • https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2016-2228
https://notcve.org/view.php?id=CVE-2016-2228
Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php. Vulnerabilidad de XSS en horde/templates/topbar/_menubar.html.php en Horde Groupware en versiones anteriores a 5.2.12 y Horde Groupware Webmail Edition en versiones anteriores a 5.2.12 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro searchfield, como ha quedado demostrado por una petición a xplorer/gollem/manager.php. • http://bugs.horde.org/ticket/14213 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html http://lists.horde.org/archives/announce/2016/001148.html http://lists.horde.org/archives/announce/2016/001149.html http://www.debian.org/security/2016/dsa-3497 http://www.openwall.com/lists/oss-security/2016/02/06/4 http://www.openwall.com/lists/oss-security/2016/02/06/5 https • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •