CVSS: 9.0EPSS: 94%CPEs: 1EXPL: 0CVE-2017-7413
https://notcve.org/view.php?id=CVE-2017-7413
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address. En Horde_Crypt en versiones anteriores a 2.7.6, como se utiliza en Horde Groupware Webmail Edition hasta la versión 5.2.17, OS Comand Inyection puede ocurrir si el atacante es un usuario autenticado Horde Webmail, tiene características PGP habilitado en sus preferencias,e intenta cifrar un correo electrónico a una maliciosa dirección de correo electrónico manipulada. • https://lists.debian.org/debian-lts-announce/2018/06/msg00006.html https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-5303
https://notcve.org/view.php?id=CVE-2016-5303
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute. Vulnerabilidad de XSS en la API Horde Text Filter en Horde Groupware y Horde Groupware Webmail Edition en versiones anteriores a 5.2.16 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de contenido data:text/html manipulado en un atributo de forma (1) acción o (2) xlink. • http://marc.info/?l=horde-announce&m=147319066126665&w=2 http://marc.info/?l=horde-announce&m=147319089526753&w=2 http://www.securityfocus.com/bid/94997 https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97 https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •