CVE-2010-3077 – Horde Application Framework 3.3.8 - 'icon_browser.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-3077
Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en util/icon_browser.php en el Horde Application Framework anterior a v3.3.9 que permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parámetro "subdir". • https://www.exploit-db.com/exploits/34605 http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9 http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html http://lists.horde.org/archives/announce/2010/000557.html http://seclists.org/fulldisclosure/2010/Sep/82 http://secunia.com/advisories/42140 https://bu • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-3694
https://notcve.org/view.php?id=CVE-2010-3694
Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Horde Application Framework anterior a v3.3.9 permite a los atacantes remotos secuestrar la autenticación de víctimas sin especificar en peticiones a un formulario preferente. • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html http://lists.horde.org/archives/announce/2010/000557.html http://secunia.com/advisories/42140 https://bugzilla.redhat.com/show_bug.cgi?id=630687 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-7218
https://notcve.org/view.php?id=CVE-2008-7218
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 has unknown impact and attack vectors. Vulnerabilidad no especificada en el API de Horde v3.1 anterior a v3.1.6 y v3.2 anterior a v3.2 anterior a v3.2-RC2; Turba H3 v2.1 anterior a v2.1.6 y v2.2 anterior a v2.2-RC2; Kronolith H3 2.1 anterior a v2.1.7 y H3 v2.2 anterior a v2.2-RC2; Nag H3 v2.1 anterior a v2.1.4 y v2.2 anterior a v2.2-RC2; Mnemo H3 v2.1 anterior a v2.1.2 y v2.2 anterior a v2.2-RC2; Horde Groupware v1.0 anterior a v1.0.3 y v1.1 anterior a v1.1-RC2; y Groupware Webmail Edition v1.0 anterior a v1.0.4 y v1.1 anterior a v1.1-RC2; tiene impacto y vectores de ataque desconocidos. • http://lists.horde.org/archives/announce/2008/000360.html http://lists.horde.org/archives/announce/2008/000361.html http://lists.horde.org/archives/announce/2008/000362.html http://lists.horde.org/archives/announce/2008/000363.html http://lists.horde.org/archives/announce/2008/000364.html http://lists.horde.org/archives/announce/2008/000365.html http://lists.horde.org/archives/announce/2008/000366.html http://lists.horde.org/archives/announce/2008/000367.html http://lists.horde •
CVE-2009-0931
https://notcve.org/view.php?id=CVE-2009-0931
Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la secuencia de comandos de búsqueda de nube de etiquetas (horde/services/portal/cloud_search.php) en Horde anterior a v3.2.4 y v3.3.3, y Horde Groupware anterior a v1.1.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores sin especificar. • http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5 http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.413.2.5 http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.503 http://lists.horde.org/archives/announce/2009/000482.html http://lists.horde.org/archives/announce/2009/000483.html http://lists.horde.org/archives/announce/2009/000486.html http://secunia.com/advisories/33695 http://www.securityfocus.com/bid/33491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-3824 – Horde Application Framework 3.2.1 - Forward Slash Insufficient Filtering Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-3824
Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as replacements for spaces in an HTML e-mail message. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en (1) el módulo Text_Filter/Filter/xss.php de Horde versiones 3.1.x anteriores a 3.1.9 y versiones 3.2.x anteriores a 3.2.2 y en (2) el módulo externalinput.php de Popoon versión r22196 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección al reemplazar caracteres / (barra) por los espacios en blanco en un mensaje de correo electrónico en formato HTML. • https://www.exploit-db.com/exploits/32353 http://blog.liip.ch/missed-case-in-externalinput-php-resulting-in-viable-xss-attacks.html http://marc.info/?l=horde-announce&m=122103888111491&w=2 http://marc.info/?l=horde-announce&m=122104360019867&w=2 http://ocert.org/patches/2008-012/Text_Filter.31.patch http://ocert.org/patches/2008-012/Text_Filter.patch http://osvdb.org/47996 http://secunia.com/advisories/31842 http://securityreason.com/securityalert/4245 http://www. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •