Vendor CVEs
Horde (software)
All CVEs
123 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-8035 | 0.00 | — | 0.01 | May 18, 2020 | The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them… | |||
| CVE-2013-6365 | 0.00 | — | 0.01 | Nov 5, 2019 | Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions | |||
| CVE-2013-6364 | 0.00 | — | 0.02 | Nov 5, 2019 | Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book | |||
| CVE-2019-12095 | 0.00 | — | 0.01 | Oct 24, 2019 | Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload. | |||
| CVE-2019-12094 | 0.00 | — | 0.02 | Oct 24, 2019 | Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI. | |||
| CVE-2014-4946 | 0.00 | — | 0.01 | Jul 14, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the… | |||
| CVE-2014-4945 | 0.00 | — | 0.01 | Jul 14, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2)… | |||
| CVE-2012-6640 | 0.00 | — | 0.02 | Apr 5, 2014 | Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than… | |||
| CVE-2012-5567 | 0.00 | — | 0.02 | Apr 5, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1)… | |||
| CVE-2012-5566 | 0.00 | — | 0.02 | Apr 5, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view. | |||
| CVE-2012-5565 | 0.00 | — | 0.02 | Apr 5, 2014 | Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file,… | |||
| CVE-2014-1691 | 0.00 | — | 0.43 | Apr 1, 2014 | The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form. | |||
| CVE-2012-6620 | 0.00 | — | 0.02 | Jan 16, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in the (1) tasks and (2) search views in Horde Kronolith H4 before 3.0.17 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2012-0909 | 0.00 | — | 0.02 | Jan 24, 2012 | Cross-site scripting (XSS) vulnerability in Horde_Form in Horde Groupware Webmail Edition before 4.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to email verification. NOTE: Some of these details are obtained from third… | |||
| CVE-2012-0791 | 0.00 | — | 0.02 | Jan 24, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) composeCache, (2) rtemode, or (3) filename_* parameters to the compose page;… | |||
| CVE-2010-4778 | 0.00 | — | 0.01 | Apr 4, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka… | |||
| CVE-2010-3693 | 0.00 | — | 0.03 | Apr 4, 2011 | Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names. | |||
| CVE-2010-3447 | 0.00 | — | 0.02 | Apr 4, 2011 | Cross-site scripting (XSS) vulnerability in view.php in the file viewer in Horde Gollem before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the file parameter in a view_file action. | |||
| CVE-2010-3694 | 0.00 | — | 0.01 | Nov 9, 2010 | Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form. | |||
| CVE-2010-1638 | 0.00 | — | 0.01 | Jun 22, 2010 | The IMP plugin in Horde allows remote attackers to bypass firewall restrictions and use Horde as a proxy to scan internal networks via a crafted request to an unspecified test script. NOTE: this is only a vulnerability when the administrator does not follow recommendations in… | |||
| CVE-2010-0463 | 0.00 | — | 0.02 | Jan 29, 2010 | Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. | |||
| CVE-2009-4363 | 0.00 | — | 0.01 | Dec 21, 2009 | Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks… | |||
| CVE-2009-3237 | 0.00 | — | 0.02 | Sep 17, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject… | |||
| CVE-2009-3236 | 0.00 | — | 0.02 | Sep 17, 2009 | The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote… | |||
| CVE-2008-7219 | 0.00 | — | 0.03 | Sep 13, 2009 | Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before… | |||
| CVE-2008-7218 | 0.00 | — | 0.02 | Sep 13, 2009 | Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before… | |||
| CVE-2008-6746 | 0.00 | — | 0.01 | Apr 23, 2009 | Cross-site scripting (XSS) vulnerability in the contact display view in Turba Contact Manager H3 before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the contact name. | |||
| CVE-2009-0931 | 0.00 | — | 0.02 | Mar 17, 2009 | Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2009-0930 | 0.00 | — | 0.02 | Mar 17, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 4.2.2 and 4.3.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) smime.php, (2) pgp.php, and (3) message.php. | |||
| CVE-2008-5917 | 0.00 | — | 0.01 | Jan 21, 2009 | Cross-site scripting (XSS) vulnerability in the XSS filter (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3.2.2 and 3.3, when Internet Explorer is being used, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to… | |||
| CVE-2008-4182 | 0.00 | — | 0.01 | Sep 23, 2008 | Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1 and other versions before 2.3.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session. | |||
| CVE-2008-3650 | 0.00 | — | 0.01 | Aug 13, 2008 | Multiple unspecified vulnerabilities in Horde Groupware Webmail before Edition 1.1.1 (final) have unknown impact and attack vectors related to "unescaped output," possibly cross-site scripting (XSS), in the (1) object browser and (2) contact view. | |||
| CVE-2008-3330 | 0.00 | — | 0.01 | Jul 27, 2008 | Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name. | |||
| CVE-2008-1284 | 0.00 | — | 0.02 | Mar 11, 2008 | Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme… | |||
| CVE-2008-0807 | 0.00 | — | 0.01 | Feb 19, 2008 | lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote… | |||
| CVE-2007-6018 | 0.00 | — | 0.02 | Jan 11, 2008 | IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to (1) delete arbitrary e-mail messages via a modified numeric ID or (2) "purge" deleted emails via a… | |||
| CVE-2007-0579 | 0.00 | — | 0.01 | Jan 30, 2007 | Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information. | |||
| CVE-2006-6175 | 0.00 | — | 0.02 | Nov 30, 2006 | Directory traversal vulnerability in lib/FBView.php in Horde Kronolith H3 before 2.0.7 and 2.1.x before 2.1.4 allows remote attackers to include arbitrary files and execute PHP code via a .. (dot dot) sequence in the view parameter. | |||
| CVE-2006-5449 | 0.00 | — | 0.02 | Oct 23, 2006 | procmail in Ingo H3 before 1.1.2 Horde module allows remote authenticated users to execute arbitrary commands via shell metacharacters in the mailbox destination of a filter rule. | |||
| CVE-2006-4255 | 0.00 | — | 0.02 | Aug 21, 2006 | Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include arbitrary web script or HTML via multiple unspecified vectors related to folder names, as injected into the vfolder_label form field in the IMP search… | |||
| CVE-2006-4256 | 0.00 | — | 0.02 | Aug 21, 2006 | index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka "cross-site referencing." NOTE: some sources have referred to this issue as XSS,… | |||
| CVE-2006-3548 | 0.00 | — | 0.02 | Jul 13, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url… | |||
| CVE-2006-3549 | 0.00 | — | 0.02 | Jul 13, 2006 | services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp… | |||
| CVE-2006-2195 | 0.00 | — | 0.02 | Jun 15, 2006 | Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) templates/problem/problem.inc and (2) test.php. | |||
| CVE-2005-4242 | 0.00 | — | 0.01 | Dec 14, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Turba H3 2.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the address book and (2) contact data. | |||
| CVE-2005-4191 | 0.00 | — | 0.01 | Dec 13, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in templates/tasklists/tasklists.inc in Horde Nag Task List Manager H3 before 2.0.4 allow remote authenticated users to inject arbitrary web script or HTML via (1) the tasklist's name or (2) description, when creating a new… | |||
| CVE-2005-4192 | 0.00 | — | 0.01 | Dec 13, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in templates/notepads/notepads.inc in Horde Mnemo Note Manager H3 before 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) the notepad's name or (2) description, when creating a new notepad. | |||
| CVE-2005-4189 | 0.00 | — | 0.01 | Dec 13, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith H3 before 2.0.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the Calendar name field when creating calendars, (2) event title field when deleting events, the (3) Category… | |||
| CVE-2005-4190 | 0.00 | — | 0.02 | Dec 13, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework before 3.0.8 allow remote authenticated users to inject arbitrary web script or HTML via multiple vectors, as demonstrated by (1) the identity field, (2) Category and (3) Label search fields, (4)… | |||
| CVE-2005-3759 | 0.00 | — | 0.01 | Nov 22, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in Horde before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) gzip/tar and (2) css MIME viewers, which do not filter or escape dangerous HTML when extracting and displaying attachments. |
- CVE-2020-8035May 18, 2020risk 0.00cvss —epss 0.01
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them…
- CVE-2013-6365Nov 5, 2019risk 0.00cvss —epss 0.01
Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions
- CVE-2013-6364Nov 5, 2019risk 0.00cvss —epss 0.02
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
- CVE-2019-12095Oct 24, 2019risk 0.00cvss —epss 0.01
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
- CVE-2019-12094Oct 24, 2019risk 0.00cvss —epss 0.02
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.
- CVE-2014-4946Jul 14, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the…
- CVE-2014-4945Jul 14, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2)…
- CVE-2012-6640Apr 5, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than…
- CVE-2012-5567Apr 5, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1)…
- CVE-2012-5566Apr 5, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view.
- CVE-2012-5565Apr 5, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file,…
- CVE-2014-1691Apr 1, 2014risk 0.00cvss —epss 0.43
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
- CVE-2012-6620Jan 16, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the (1) tasks and (2) search views in Horde Kronolith H4 before 3.0.17 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2012-0909Jan 24, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Horde_Form in Horde Groupware Webmail Edition before 4.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to email verification. NOTE: Some of these details are obtained from third…
- CVE-2012-0791Jan 24, 2012risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) composeCache, (2) rtemode, or (3) filename_* parameters to the compose page;…
- CVE-2010-4778Apr 4, 2011risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka…
- CVE-2010-3693Apr 4, 2011risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names.
- CVE-2010-3447Apr 4, 2011risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in view.php in the file viewer in Horde Gollem before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the file parameter in a view_file action.
- CVE-2010-3694Nov 9, 2010risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form.
- CVE-2010-1638Jun 22, 2010risk 0.00cvss —epss 0.01
The IMP plugin in Horde allows remote attackers to bypass firewall restrictions and use Horde as a proxy to scan internal networks via a crafted request to an unspecified test script. NOTE: this is only a vulnerability when the administrator does not follow recommendations in…
- CVE-2010-0463Jan 29, 2010risk 0.00cvss —epss 0.02
Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
- CVE-2009-4363Dec 21, 2009risk 0.00cvss —epss 0.01
Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks…
- CVE-2009-3237Sep 17, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject…
- CVE-2009-3236Sep 17, 2009risk 0.00cvss —epss 0.02
The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote…
- CVE-2008-7219Sep 13, 2009risk 0.00cvss —epss 0.03
Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before…
- CVE-2008-7218Sep 13, 2009risk 0.00cvss —epss 0.02
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before…
- CVE-2008-6746Apr 23, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the contact display view in Turba Contact Manager H3 before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the contact name.
- CVE-2009-0931Mar 17, 2009risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2009-0930Mar 17, 2009risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 4.2.2 and 4.3.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) smime.php, (2) pgp.php, and (3) message.php.
- CVE-2008-5917Jan 21, 2009risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in the XSS filter (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3.2.2 and 3.3, when Internet Explorer is being used, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to…
- CVE-2008-4182Sep 23, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in imp/test.php in Horde Turba Contact Manager H3 2.2.1 and other versions before 2.3.1, and possibly other Horde Project products, allows remote attackers to inject arbitrary web script or HTML via the User field in an IMAP session.
- CVE-2008-3650Aug 13, 2008risk 0.00cvss —epss 0.01
Multiple unspecified vulnerabilities in Horde Groupware Webmail before Edition 1.1.1 (final) have unknown impact and attack vectors related to "unescaped output," possibly cross-site scripting (XSS), in the (1) object browser and (2) contact view.
- CVE-2008-3330Jul 27, 2008risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name.
- CVE-2008-1284Mar 11, 2008risk 0.00cvss —epss 0.02
Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme…
- CVE-2008-0807Feb 19, 2008risk 0.00cvss —epss 0.01
lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote…
- CVE-2007-6018Jan 11, 2008risk 0.00cvss —epss 0.02
IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to (1) delete arbitrary e-mail messages via a modified numeric ID or (2) "purge" deleted emails via a…
- CVE-2007-0579Jan 30, 2007risk 0.00cvss —epss 0.01
Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information.
- CVE-2006-6175Nov 30, 2006risk 0.00cvss —epss 0.02
Directory traversal vulnerability in lib/FBView.php in Horde Kronolith H3 before 2.0.7 and 2.1.x before 2.1.4 allows remote attackers to include arbitrary files and execute PHP code via a .. (dot dot) sequence in the view parameter.
- CVE-2006-5449Oct 23, 2006risk 0.00cvss —epss 0.02
procmail in Ingo H3 before 1.1.2 Horde module allows remote authenticated users to execute arbitrary commands via shell metacharacters in the mailbox destination of a filter rule.
- CVE-2006-4255Aug 21, 2006risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include arbitrary web script or HTML via multiple unspecified vectors related to folder names, as injected into the vfolder_label form field in the IMP search…
- CVE-2006-4256Aug 21, 2006risk 0.00cvss —epss 0.02
index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka "cross-site referencing." NOTE: some sources have referred to this issue as XSS,…
- CVE-2006-3548Jul 13, 2006risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url…
- CVE-2006-3549Jul 13, 2006risk 0.00cvss —epss 0.02
services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp…
- CVE-2006-2195Jun 15, 2006risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via (1) templates/problem/problem.inc and (2) test.php.
- CVE-2005-4242Dec 14, 2005risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Horde Turba H3 2.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the address book and (2) contact data.
- CVE-2005-4191Dec 13, 2005risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in templates/tasklists/tasklists.inc in Horde Nag Task List Manager H3 before 2.0.4 allow remote authenticated users to inject arbitrary web script or HTML via (1) the tasklist's name or (2) description, when creating a new…
- CVE-2005-4192Dec 13, 2005risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in templates/notepads/notepads.inc in Horde Mnemo Note Manager H3 before 2.0.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) the notepad's name or (2) description, when creating a new notepad.
- CVE-2005-4189Dec 13, 2005risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith H3 before 2.0.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the Calendar name field when creating calendars, (2) event title field when deleting events, the (3) Category…
- CVE-2005-4190Dec 13, 2005risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework before 3.0.8 allow remote authenticated users to inject arbitrary web script or HTML via multiple vectors, as demonstrated by (1) the identity field, (2) Category and (3) Label search fields, (4)…
- CVE-2005-3759Nov 22, 2005risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Horde before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) gzip/tar and (2) css MIME viewers, which do not filter or escape dangerous HTML when extracting and displaying attachments.
Page 2 of 3