Horde
Source repositories
- https://github.com/horde/hordearchived
CVEs (25)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2012-0209 | 0.09 | — | 0.72 | Sep 25, 2012 | Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers… | |||
| CVE-2009-0932 | 0.06 | — | 0.41 | Mar 17, 2009 | Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name. | |||
| CVE-2006-1260 | 0.04 | — | 0.12 | Mar 19, 2006 | Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check. | |||
| CVE-2001-1370 | 0.04 | — | 0.17 | Jul 21, 2001 | prepend.php3 in PHPLib before 7.2d, when register_globals is enabled for PHP, allows remote attackers to execute arbitrary scripts via an HTTP request that modifies $_PHPLIB[libdir] to point to malicious code on another server, as seen in Horde 1.2.5 and earlier, IMP before… | |||
| CVE-2015-7984 | 0.03 | — | 0.04 | Nov 19, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1)… | |||
| CVE-2008-3824 | 0.03 | — | 0.05 | Sep 12, 2008 | Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as… | |||
| CVE-2008-3823 | 0.03 | — | 0.03 | Sep 12, 2008 | Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of a MIME attachment in an e-mail message. | |||
| CVE-2005-3344 | 0.01 | — | 0.08 | Nov 16, 2005 | The default installation of Horde 3.0.4 contains an administrative account with a blank password, which allows remote attackers to gain access. | |||
| CVE-2014-1691 | 0.00 | — | 0.43 | Apr 1, 2014 | The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form. | |||
| CVE-2010-1638 | 0.00 | — | 0.01 | Jun 22, 2010 | The IMP plugin in Horde allows remote attackers to bypass firewall restrictions and use Horde as a proxy to scan internal networks via a crafted request to an unspecified test script. NOTE: this is only a vulnerability when the administrator does not follow recommendations in… | |||
| CVE-2008-7218 | 0.00 | — | 0.02 | Sep 13, 2009 | Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before… | |||
| CVE-2009-0931 | 0.00 | — | 0.02 | Mar 17, 2009 | Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2008-3330 | 0.00 | — | 0.01 | Jul 27, 2008 | Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name. | |||
| CVE-2008-1284 | 0.00 | — | 0.02 | Mar 11, 2008 | Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme… | |||
| CVE-2007-6018 | 0.00 | — | 0.02 | Jan 11, 2008 | IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to (1) delete arbitrary e-mail messages via a modified numeric ID or (2) "purge" deleted emails via a… | |||
| CVE-2006-4255 | 0.00 | — | 0.02 | Aug 21, 2006 | Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include arbitrary web script or HTML via multiple unspecified vectors related to folder names, as injected into the vfolder_label form field in the IMP search… | |||
| CVE-2006-3548 | 0.00 | — | 0.02 | Jul 13, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url… | |||
| CVE-2006-2195 | 0.00 | — | 0.02 | Jun 15, 2006 | Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) templates/problem/problem.inc and (2) test.php. | |||
| CVE-2005-3759 | 0.00 | — | 0.01 | Nov 22, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in Horde before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) gzip/tar and (2) css MIME viewers, which do not filter or escape dangerous HTML when extracting and displaying attachments. | |||
| CVE-2005-3570 | 0.00 | — | 0.02 | Nov 16, 2005 | Unspecified cross-site scripting (XSS) vulnerability in Horde before 2.2.9 allows remote attackers to inject arbitrary web script or HTML via "not properly escaped error messages". |
- CVE-2012-0209Sep 25, 2012risk 0.09cvss —epss 0.72
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers…
- CVE-2009-0932Mar 17, 2009risk 0.06cvss —epss 0.41
Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image driver name.
- CVE-2006-1260Mar 19, 2006risk 0.04cvss —epss 0.12
Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check.
- CVE-2001-1370Jul 21, 2001risk 0.04cvss —epss 0.17
prepend.php3 in PHPLib before 7.2d, when register_globals is enabled for PHP, allows remote attackers to execute arbitrary scripts via an HTTP request that modifies $_PHPLIB[libdir] to point to malicious code on another server, as seen in Horde 1.2.5 and earlier, IMP before…
- CVE-2015-7984Nov 19, 2015risk 0.03cvss —epss 0.04
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1)…
- CVE-2008-3824Sep 12, 2008risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as…
- CVE-2008-3823Sep 12, 2008risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of a MIME attachment in an e-mail message.
- CVE-2005-3344Nov 16, 2005risk 0.01cvss —epss 0.08
The default installation of Horde 3.0.4 contains an administrative account with a blank password, which allows remote attackers to gain access.
- CVE-2014-1691Apr 1, 2014risk 0.00cvss —epss 0.43
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
- CVE-2010-1638Jun 22, 2010risk 0.00cvss —epss 0.01
The IMP plugin in Horde allows remote attackers to bypass firewall restrictions and use Horde as a proxy to scan internal networks via a crafted request to an unspecified test script. NOTE: this is only a vulnerability when the administrator does not follow recommendations in…
- CVE-2008-7218Sep 13, 2009risk 0.00cvss —epss 0.02
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before…
- CVE-2009-0931Mar 17, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2008-3330Jul 27, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name.
- CVE-2008-1284Mar 11, 2008risk 0.00cvss —epss 0.02
Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme…
- CVE-2007-6018Jan 11, 2008risk 0.00cvss —epss 0.02
IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to (1) delete arbitrary e-mail messages via a modified numeric ID or (2) "purge" deleted emails via a…
- CVE-2006-4255Aug 21, 2006risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include arbitrary web script or HTML via multiple unspecified vectors related to folder names, as injected into the vfolder_label form field in the IMP search…
- CVE-2006-3548Jul 13, 2006risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url…
- CVE-2006-2195Jun 15, 2006risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) templates/problem/problem.inc and (2) test.php.
- CVE-2005-3759Nov 22, 2005risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Horde before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) gzip/tar and (2) css MIME viewers, which do not filter or escape dangerous HTML when extracting and displaying attachments.
- CVE-2005-3570Nov 16, 2005risk 0.00cvss —epss 0.02
Unspecified cross-site scripting (XSS) vulnerability in Horde before 2.2.9 allows remote attackers to inject arbitrary web script or HTML via "not properly escaped error messages".
Page 1 of 2