CVSS: 7.5EPSS: 94%CPEs: 6EXPL: 2CVE-2014-1691 – Horde Framework - Unserialize PHP Code Execution
https://notcve.org/view.php?id=CVE-2014-1691
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form. El script framework/Util/lib/Horde/Variables.php en la libraría de Util en Horde anterior a 5.1.1 permite a atacantes remotos realizar ataques de inyección de objetos y ejecutar código PHP arbitrario a través de un objeto serializado manipulado en el formulario _formvars. • https://www.exploit-db.com/exploits/32439 http://seclists.org/oss-sec/2014/q1/153 http://seclists.org/oss-sec/2014/q1/156 http://seclists.org/oss-sec/2014/q1/169 http://www.debian.org/security/2014/dsa-2853 https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215 https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 84EXPL: 0CVE-2010-3694
https://notcve.org/view.php?id=CVE-2010-3694
Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Horde Application Framework anterior a v3.3.9 permite a los atacantes remotos secuestrar la autenticación de víctimas sin especificar en peticiones a un formulario preferente. • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html http://lists.horde.org/archives/announce/2010/000557.html http://secunia.com/advisories/42140 https://bugzilla.redhat.com/show_bug.cgi?id=630687 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 84EXPL: 2CVE-2010-3077 – Horde Application Framework 3.3.8 - 'icon_browser.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-3077
Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en util/icon_browser.php en el Horde Application Framework anterior a v3.3.9 que permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través del parámetro "subdir". • https://www.exploit-db.com/exploits/34605 http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9 http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.html http://lists.horde.org/archives/announce/2010/000557.html http://seclists.org/fulldisclosure/2010/Sep/82 http://secunia.com/advisories/42140 https://bu • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •