Application Framework
CVEs (25)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-30349 | Hig | 0.44 | 7.2 | 0.29 | Mar 21, 2025 | Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025. | ||
| CVE-2006-1491 | 0.06 | — | 0.38 | Mar 29, 2006 | Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attackers to execute arbitrary code via the help viewer. | |||
| CVE-2006-1260 | 0.04 | — | 0.12 | Mar 19, 2006 | Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check. | |||
| CVE-2015-7984 | 0.03 | — | 0.04 | Nov 19, 2015 | Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1)… | |||
| CVE-2010-3077 | 0.03 | — | 0.04 | Nov 9, 2010 | Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter. | |||
| CVE-2009-3701 | 0.03 | — | 0.05 | Dec 21, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the… | |||
| CVE-2007-1473 | 0.03 | — | 0.05 | Mar 16, 2007 | Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contains a language selection box, allows remote attackers to inject arbitrary web script or HTML via the new_lang parameter to login.php. | |||
| CVE-2007-1474 | 0.03 | — | 0.05 | Mar 16, 2007 | Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames. | |||
| CVE-2025-5718 | 0.00 | — | 0.00 | Nov 11, 2025 | The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a… | |||
| CVE-2025-0359 | 0.00 | — | 0.00 | Mar 4, 2025 | During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the… | |||
| CVE-2021-1460 | 0.00 | — | 0.01 | Mar 24, 2021 | A vulnerability in the Cisco IOx Application Framework of Cisco 809 Industrial Integrated Services Routers (Industrial ISRs), Cisco 829 Industrial ISRs, Cisco CGR 1000 Compute Module, and Cisco IC3000 Industrial Compute Gateway could allow an unauthenticated, remote attacker to… | |||
| CVE-2020-3233 | 0.00 | — | 0.01 | Jun 3, 2020 | A vulnerability in the web-based Local Manager interface of the Cisco IOx Application Framework could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The… | |||
| CVE-2014-1691 | 0.00 | — | 0.43 | Apr 1, 2014 | The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form. | |||
| CVE-2010-3694 | 0.00 | — | 0.01 | Nov 9, 2010 | Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form. | |||
| CVE-2009-4363 | 0.00 | — | 0.01 | Dec 21, 2009 | Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks… | |||
| CVE-2009-3237 | 0.00 | — | 0.02 | Sep 17, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject… | |||
| CVE-2009-3236 | 0.00 | — | 0.02 | Sep 17, 2009 | The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote… | |||
| CVE-2008-5917 | 0.00 | — | 0.01 | Jan 21, 2009 | Cross-site scripting (XSS) vulnerability in the XSS filter (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3.2.2 and 3.3, when Internet Explorer is being used, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to… | |||
| CVE-2007-6018 | 0.00 | — | 0.02 | Jan 11, 2008 | IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to (1) delete arbitrary e-mail messages via a modified numeric ID or (2) "purge" deleted emails via a… | |||
| CVE-2006-4256 | 0.00 | — | 0.02 | Aug 21, 2006 | index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka "cross-site referencing." NOTE: some sources have referred to this issue as XSS,… |
- risk 0.44cvss 7.2epss 0.29
Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.
- CVE-2006-1491Mar 29, 2006risk 0.06cvss —epss 0.38
Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attackers to execute arbitrary code via the help viewer.
- CVE-2006-1260Mar 19, 2006risk 0.04cvss —epss 0.12
Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in services/go.php, which bypasses a sanity check.
- CVE-2015-7984Nov 19, 2015risk 0.03cvss —epss 0.04
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1)…
- CVE-2010-3077Nov 9, 2010risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter.
- CVE-2009-3701Dec 21, 2009risk 0.03cvss —epss 0.05
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the…
- CVE-2007-1473Mar 16, 2007risk 0.03cvss —epss 0.05
Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contains a language selection box, allows remote attackers to inject arbitrary web script or HTML via the new_lang parameter to login.php.
- CVE-2007-1474Mar 16, 2007risk 0.03cvss —epss 0.05
Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames.
- CVE-2025-5718Nov 11, 2025risk 0.00cvss —epss 0.00
The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a…
- CVE-2025-0359Mar 4, 2025risk 0.00cvss —epss 0.00
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the…
- CVE-2021-1460Mar 24, 2021risk 0.00cvss —epss 0.01
A vulnerability in the Cisco IOx Application Framework of Cisco 809 Industrial Integrated Services Routers (Industrial ISRs), Cisco 829 Industrial ISRs, Cisco CGR 1000 Compute Module, and Cisco IC3000 Industrial Compute Gateway could allow an unauthenticated, remote attacker to…
- CVE-2020-3233Jun 3, 2020risk 0.00cvss —epss 0.01
A vulnerability in the web-based Local Manager interface of the Cisco IOx Application Framework could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based Local Manager interface of an affected device. The…
- CVE-2014-1691Apr 1, 2014risk 0.00cvss —epss 0.43
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
- CVE-2010-3694Nov 9, 2010risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form.
- CVE-2009-4363Dec 21, 2009risk 0.00cvss —epss 0.01
Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks…
- CVE-2009-3237Sep 17, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject…
- CVE-2009-3236Sep 17, 2009risk 0.00cvss —epss 0.02
The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote…
- CVE-2008-5917Jan 21, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the XSS filter (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3.2.2 and 3.3, when Internet Explorer is being used, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to…
- CVE-2007-6018Jan 11, 2008risk 0.00cvss —epss 0.02
IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to (1) delete arbitrary e-mail messages via a modified numeric ID or (2) "purge" deleted emails via a…
- CVE-2006-4256Aug 21, 2006risk 0.00cvss —epss 0.02
index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka "cross-site referencing." NOTE: some sources have referred to this issue as XSS,…
Page 1 of 2