CVE-2021-26929
Horde Groupware Webmail 5.2.22 - Stored XSS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
3Exploited in Wild
-Decision
Descriptions
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
Se detectó un problema de tipo XSS en Horde Groupware Webmail Edition versiones hasta 5.2.22 (donde es usada la biblioteca Horde_Text_Filter versiones anteriores a 2.3.7). El atacante puede enviar un mensaje de correo electrónico de texto plano, con JavaScript codificado como un enlace o correo electrónico que es manejado apropiadamente por la función preProcess en el archivo Text2html.php, porque el uso personalizado de \x00\x00\x00 y \x01\x01\x01 interfiere con las defensas de XSS
Webmail Edition version 5.2.22 suffers from remote code execution and cross site scripting vulnerabilities via the Horde_Text_Filter library.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-09 CVE Reserved
- 2021-02-14 CVE Published
- 2021-04-15 First Exploit
- 2024-08-03 CVE Updated
- 2024-11-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html | Third Party Advisory | |
https://github.com/horde/webmail/releases | Third Party Advisory | |
https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html | Mailing List |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/49769 | 2021-04-15 | |
http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html | 2024-08-03 | |
https://www.alexbirnberg.com/horde-xss.html | 2024-08-03 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://lists.horde.org/archives/announce/2021/001298.html | 2021-04-19 | |
https://www.horde.org/apps/webmail | 2021-04-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Horde Search vendor "Horde" | Groupware Search vendor "Horde" for product "Groupware" | <= 5.2.22 Search vendor "Horde" for product "Groupware" and version " <= 5.2.22" | webmail |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
|