Page 2 of 10 results (0.007 seconds)

CVSS: 5.0EPSS: 0%CPEs: 41EXPL: 0

Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. Horde IMP v4.3.6 y anteriores no solicitan que el navegador web permita el "prefetching" DNS de los nombres de dominio contenidos en mensajes de correo electrónico, lo que facilita a atacantes remotos determinar la localización de red del usuario de webmail mediante peticiones de logggin DNS. • http://bugs.horde.org/ticket/8836 https://exchange.xforce.ibmcloud.com/vulnerabilities/56052 https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Horde IMP H3 4.1.3 y, posiblemente, versiones anteriores, permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante (1) la cabecera del Subject de los email en el thread.php,(2) el parámetro edit_query del search.php u otros parámetros sin especificar en el search.php. NOTA: algunos de los detalles se obtienen a partir de la información de terceros. • https://www.exploit-db.com/exploits/29742 http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052977.html http://lists.horde.org/archives/announce/2007/000316.html http://secunia.com/advisories/24541 http://www.securityfocus.com/archive/1/462914/100/0/threaded http://www.securityfocus.com/bid/22975 http://www.securitytracker.com/id?1017774 http://www.vupen.com/english/advisories/2007/0964 •

CVSS: 4.3EPSS: 0%CPEs: 38EXPL: 0

Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include arbitrary web script or HTML via multiple unspecified vectors related to folder names, as injected into the vfolder_label form field in the IMP search screen. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en horde/imp/search.php en Horde IMP H3 anterior a 4.1.3 permite a atacanets remotos incluir secuencias de comandos web o HTML de su elección a través de múltiples vectores no especificados relacionados con nombres de carpetas, como se ha inyectado en el campo de formulario vfolder_label en la pantalla de búsqueda IMP. • http://lists.horde.org/archives/announce/2006/000294.html http://secunia.com/advisories/21533 http://securityreason.com/securityalert/1423 http://securitytracker.com/id?1016713 http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=2457 http://www.securityfocus.com/archive/1/443361/100/0/threaded http://www.securityfocus.com/bid/19544 http://www.vupen.com/english/advisories/2006/3316 https://exchange.xforce.ibmcloud.com/vulnerabilities/28409 •

CVSS: 4.3EPSS: 1%CPEs: 25EXPL: 2

Horde IMP 4.0.4 and earlier does not sanitize strings containing UTF16 null characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via UTF16 encoded attachments and strings that will be executed when viewed using Internet Explorer, which ignores the characters. • https://www.exploit-db.com/exploits/26741 http://secunia.com/advisories/17910 http://securityreason.com/securityalert/232 http://securitytracker.com/id?1015315 http://www.securityfocus.com/archive/1/418734/100/0/threaded http://www.securityfocus.com/bid/15730 http://www.vupen.com/english/advisories/2005/2773 https://exchange.xforce.ibmcloud.com/vulnerabilities/23465 •

CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0

Cross-site scripting (XSS) vulnerability in Horde IMP Webmail client before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. • http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.389.2.119&r2=1.389.2.125&ty=h http://lists.horde.org/archives/imp/Week-of-Mon-20050418/041912.html http://secunia.com/advisories/15080 •