CVE-2013-6364 – Horde Groupware Web Mail Edition 5.1.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-6364
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book Horde Groupware Webmail Edition, presenta una vulnerabilidad de tipo CSRF y XSS, cuando se guarda una búsqueda como una libreta de direcciones virtual. Horde version 5.1.2 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/29519 http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.html http://www.exploit-db.com/exploits/29519 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364 https://security-tracker.debian.org/tracker/CVE-2013-6364 https://www.securityfocus.com/archive/1/529589 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2013-6365 – Horde 5.1.2 Cross Site Request Forgery / Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-6365
Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions Horde Groupware Web mail versión 5.1.2, presenta una vulnerabilidad de tipo CSRF con peticiones para cambiar permisos. Horde version 5.1.2 suffers from cross site request forgery and cross site scripting vulnerabilities. • http://archives.neohapsis.com/archives/bugtraq/2013-11/0013.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6365 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6365 https://packetstormsecurity.com/files/cve/CVE-2013-6365 https://security-tracker.debian.org/tracker/CVE-2013-6365 https://www.securityfocus.com/archive/1/529590 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2013-6275 – Horde Groupware Web Mail Edition 5.1.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-6275
Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php. Múltiples problemas de tipo CSRF en Horde Groupware Webmail Edition versión 5.1.2 y anteriores en el archivo basic.php. Horde Groupware Web Mail Edition version 5.1.2 suffers from multiple cross site request forgery vulnerabilities. • https://www.exploit-db.com/exploits/29274 http://archives.neohapsis.com/archives/bugtraq/2013-10/0134.html http://www.exploit-db.com/exploits/29274 http://www.securityfocus.com/bid/63377 http://www.securitytracker.com/id/1029285 https://bugs.gentoo.org/show_bug.cgi?id=CVE-2013-6275 https://exchange.xforce.ibmcloud.com/vulnerabilities/88321 https://security-tracker.debian.org/tracker/CVE-2013-6275 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-0209 – Horde 3.3.12 - Backdoor Arbitrary PHP Code Execution
https://notcve.org/view.php?id=CVE-2012-0209
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code. Horde v3.3.12, Horde Groupware v1.2.10, y Horde Groupware Webmail Edition v1.2.10, como el distribuido por FTP entre noviembre del 2011 y febrero del 2012, contiene unas modificaciones introducidas externamente (troyano) en templates/javascript/open_calendar.js, lo que permite a atacantes remotos ejecutar código PHP. • https://www.exploit-db.com/exploits/18492 http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155 http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis http://lists.horde.org/archives/announce/2012/000751.html http://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.html https://bugzilla.redhat.com/show_bug.cgi?id=790877 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2012-0791
https://notcve.org/view.php?id=CVE-2012-0791
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) composeCache, (2) rtemode, or (3) filename_* parameters to the compose page; (4) formname parameter to the contacts popup window; or (5) IMAP mailbox names. NOTE: some of these details are obtained from third party information. Múltiples vulnerbilidades de ejecución de secuencias de comandos web en sitios cruzados (XSS) en Horde IMP anterior a v5.0.18 y Horde Groupware Webmail Edition anterior a v4.0.6 permite a atacantes remotos inyectar código HTML o script web a través de los parámetros que componen la página (1) composeCache, (2) rtemode, o (3) filename_*;(4) parámetro formname para ventanas popup; o (5) nombres de buzón IMAP. NOTA: Algunos de estos detalles han sido obtenidos de terceras partes de información. • http://secunia.com/advisories/47580 http://secunia.com/advisories/47592 http://www.debian.org/security/2012/dsa-2485 http://www.horde.org/apps/imp/docs/CHANGES http://www.horde.org/apps/imp/docs/RELEASE_NOTES http://www.horde.org/apps/webmail/docs/CHANGES http://www.horde.org/apps/webmail/docs/RELEASE_NOTES http://www.openwall.com/lists/oss-security/2012/01/22/2 http://www.securityfocus.com/bid/51586 http://www.securitytracker.com/id?1026553 http://w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •