CVE-2019-12095
Horde Webmail 5.2.22 XSS / CSRF / SQL Injection / Code Execution
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
6
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
Horde Trean, como se utiliza en Horde Groupware Webmail Edition a través de 5.2.22 y otros productos, permite CSRF, como lo demuestra el parámetro treanBookmarkTags al trean / URI en un servidor de correo web. NOTA: treanBookmarkTags podría, por ejemplo, ser una carga útil XSS almacenada.
Horde Webmail version 5.2.22 suffers from code execution, cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-05-14 CVE Reserved
- 2019-05-17 CVE Published
- 2024-05-19 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://exchange.xforce.ibmcloud.com/vulnerabilities/161333 | Third Party Advisory | |
https://lists.debian.org/debian-lts-announce/2019/12/msg00015.html | Mailing List |
URL | Date | SRC |
---|---|---|
https://bugs.horde.org/ticket/14926 | 2024-08-04 | |
https://cxsecurity.com/issue/WLB-2019050199 | 2024-08-04 | |
https://numanozdemir.com/respdisc/horde/horde.mp4 | 2024-08-04 | |
https://numanozdemir.com/respdisc/horde/horde.txt | 2024-08-04 | |
https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-Injection-Code-Execution.html | 2024-08-04 | |
https://www.exploit-db.com/exploits/46903 | 2024-08-04 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|