Page 2 of 23 results (0.010 seconds)

CVSS: 5.0EPSS: 0%CPEs: 41EXPL: 0

Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. Horde IMP v4.3.6 y anteriores no solicitan que el navegador web permita el "prefetching" DNS de los nombres de dominio contenidos en mensajes de correo electrónico, lo que facilita a atacantes remotos determinar la localización de red del usuario de webmail mediante peticiones de logggin DNS. • http://bugs.horde.org/ticket/8836 https://exchange.xforce.ibmcloud.com/vulnerabilities/56052 https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0

IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to (1) delete arbitrary e-mail messages via a modified numeric ID or (2) "purge" deleted emails via a crafted email message. IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, y Horde Groupware Webmail Edition 1.0.3 no validan peticiones HTTP no especificadas, lo cual permite a atacantes remotos (1) borrar mensajes de correo electrónico de su elección mediante un ID numérico modificado o (2) "purgar" correos electrónicos eliminados mediante un mensaje de correo electrónico manipulado. • http://cvs.horde.org/diff.php/groupware/docs/groupware/CHANGES?r1=1.17&r2=1.17.2.1&ty=h http://cvs.horde.org/diff.php/groupware/docs/webmail/CHANGES?r1=1.12&r2=1.12.2.1&ty=h http://lists.horde.org/archives/announce/2008/000360.html http://lists.horde.org/archives/announce/2008/000365.html http://lists.horde.org/archives/announce/2008/000366.html http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html http://secunia.com/advisories/28020 http:&#x • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Horde IMP H3 4.1.3 y, posiblemente, versiones anteriores, permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante (1) la cabecera del Subject de los email en el thread.php,(2) el parámetro edit_query del search.php u otros parámetros sin especificar en el search.php. NOTA: algunos de los detalles se obtienen a partir de la información de terceros. • https://www.exploit-db.com/exploits/29742 http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052977.html http://lists.horde.org/archives/announce/2007/000316.html http://secunia.com/advisories/24541 http://www.securityfocus.com/archive/1/462914/100/0/threaded http://www.securityfocus.com/bid/22975 http://www.securitytracker.com/id?1017774 http://www.vupen.com/english/advisories/2007/0964 •

CVSS: 6.8EPSS: 1%CPEs: 24EXPL: 1

Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames. Vulnerabilidad de inyección de argumento en la secuencia de comandos cleanup para cron de Horde Project Horde e IMP anterior a Horde Application Framework 3.1.4 permite a usuarios locales borrar archivos de su elección y posiblemente obtener privilegios mediante múltiples nombres de ruta separados por espacios. • https://www.exploit-db.com/exploits/29746 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=489 http://lists.horde.org/archives/announce/2007/000315.html http://secunia.com/advisories/27565 http://www.debian.org/security/2007/dsa-1406 http://www.securityfocus.com/bid/22985 http://www.securitytracker.com/id?1017784 http://www.securitytracker.com/id?1017785 http://www.vupen.com/english/advisories/2007/0965 https://exchange.xforce.ibmcloud.com/vulnerabilities/32997 •

CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0

Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include arbitrary web script or HTML via multiple unspecified vectors related to folder names, as injected into the vfolder_label form field in the IMP search screen. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en horde/imp/search.php en Horde IMP H3 anterior a 4.1.3 permite a atacanets remotos incluir secuencias de comandos web o HTML de su elección a través de múltiples vectores no especificados relacionados con nombres de carpetas, como se ha inyectado en el campo de formulario vfolder_label en la pantalla de búsqueda IMP. • http://lists.horde.org/archives/announce/2006/000294.html http://secunia.com/advisories/21533 http://securityreason.com/securityalert/1423 http://securitytracker.com/id?1016713 http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2457 http://www.securityfocus.com/archive/1/443361/100/0/threaded http://www.securityfocus.com/bid/19544 http://www.vupen.com/english/advisories/2006/3316 https://exchange.xforce.ibmcloud.com/vulnerabilities/28409 •