CVE-2005-4192
Description
Multiple cross-site scripting (XSS) vulnerabilities in templates/notepads/notepads.inc in Horde Mnemo Note Manager H3 before 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) the notepad's name or (2) description, when creating a new notepad.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<2.0.3+ 1 more
- (no CPE)range: <2.0.3
- (no CPE)range: <2.0.3
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization of notepad name and description fields allows stored cross-site scripting."
Attack vector
A remote authenticated user can inject arbitrary web script or HTML through the notepad's name or description fields when creating a new notepad [ref_id=1]. The injected payload is stored and later executed in the browsers of other authenticated users who view the notepad listing. No unauthenticated exploitation is possible [ref_id=1].
Affected code
The vulnerability resides in `templates/notepads/notepads.inc` within the Mnemo Note Manager H3 before version 2.0.3. The notepad's name and description fields are not sanitized before being rendered, allowing stored XSS.
What the fix does
The advisory states that Mnemo H3 (2.0.3) is a security release that "closes several XSS vulnerabilities with note and notepad data" [ref_id=1]. The fix involves properly escaping or sanitizing the notepad name and description fields before output, preventing injected HTML or script from being interpreted by the browser. No patch diff is included in the bundle.
Preconditions
- authAttacker must be an authenticated user of the Mnemo application
- inputAttacker must have the ability to create or edit notepads
Reproduction
The referenced PoC URL (http://www.sec-consult.com/245.html) is not accessible in the bundle, so no reproduction steps can be provided.
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- cvs.horde.org/diff.php/mnemo/templates/notepads/notepads.incnvdPatch
- lists.horde.org/archives/announce/2005/000237.htmlnvdPatch
- secunia.com/advisories/17964nvdPatchVendor Advisory
- www.securityfocus.com/bid/15803nvdPatch
- www.sec-consult.com/245.htmlnvdExploitVendor Advisory
- www.vupen.com/english/advisories/2005/2833nvd
News mentions
0No linked articles in our index yet.