Page 3 of 36 results (0.009 seconds)

CVSS: 7.5EPSS: 93%CPEs: 6EXPL: 2

CVE-2014-1691 – Horde Framework - Unserialize PHP Code Execution

https://notcve.org/view.php?id=CVE-2014-1691

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form. El script framework/Util/lib/Horde/Variables.php en la libraría de Util en Horde anterior a 5.1.1 permite a atacantes remotos realizar ataques de inyección de objetos y ejecutar código PHP arbitrario a través de un objeto serializado manipulado en el formulario _formvars. • https://www.exploit-db.com/exploits/32439 http://seclists.org/oss-sec/2014/q1/153 http://seclists.org/oss-sec/2014/q1/156 http://seclists.org/oss-sec/2014/q1/169 http://www.debian.org/security/2014/dsa-2853 https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215 https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 58%CPEs: 3EXPL: 5

CVE-2012-0209 – Horde 3.3.12 - Backdoor Arbitrary PHP Code Execution

https://notcve.org/view.php?id=CVE-2012-0209

Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code. Horde v3.3.12, Horde Groupware v1.2.10, y Horde Groupware Webmail Edition v1.2.10, como el distribuido por FTP entre noviembre del 2011 y febrero del 2012, contiene unas modificaciones introducidas externamente (troyano) en templates/javascript/open_calendar.js, lo que permite a atacantes remotos ejecutar código PHP. • https://www.exploit-db.com/exploits/18492 http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis http://lists.horde.org/archives/announce/2012/000751.html http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html https://bugzilla.redhat.com/show_bug.cgi?id=790877 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 6.8EPSS: 0%CPEs: 84EXPL: 0

CVE-2010-3694

https://notcve.org/view.php?id=CVE-2010-3694

Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Horde Application Framework anterior a v3.3.9 permite a los atacantes remotos secuestrar la autenticación de víctimas sin especificar en peticiones a un formulario preferente. • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html http://lists.horde.org/archives/announce/2010/000557.html http://secunia.com/advisories/42140 https://bugzilla.redhat.com/show_bug.cgi?id=630687 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 0%CPEs: 84EXPL: 2

CVE-2010-3077 – Horde Application Framework 3.3.8 - 'icon_browser.php' Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2010-3077

Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en util/icon_browser.php en el Horde Application Framework anterior a v3.3.9 que permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parámetro "subdir". • https://www.exploit-db.com/exploits/34605 http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9 http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html http://lists.horde.org/archives/announce/2010/000557.html http://seclists.org/fulldisclosure/2010/Sep/82 http://secunia.com/advisories/42140 https://bu • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2010-1638

https://notcve.org/view.php?id=CVE-2010-1638

The IMP plugin in Horde allows remote attackers to bypass firewall restrictions and use Horde as a proxy to scan internal networks via a crafted request to an unspecified test script. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. El plugin IMP en Horde permite a atacantes remotos eludir las restricciones del firewall y usar Horde como un proxy para escanear redes internas mediante una petición manipulada a un script de test no especificado. NOTA: esto sólo supone una vulnerabilidad cuando el administrador no sigue las recomendaciones de instalación de la documentación del producto. • http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20-%20Laurent%20Oudot%20-%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=74 http://www.openwall.com/lists/oss-security/2010/05/21/2 http://www.openwall.com/lists/oss-security/2010/05/25/2 • CWE-264: Permissions, Privileges, and Access Controls •