4.3

CVE-2009-3701

Exploit

Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.

Data is provided by the National Vulnerability Database (NVD)
HordeApplication Framework Version <= 3.3.5
HordeApplication Framework Version2.0
HordeApplication Framework Version2.1
HordeApplication Framework Version2.1.3
HordeApplication Framework Version2.2
HordeApplication Framework Version2.2.1
HordeApplication Framework Version2.2.3
HordeApplication Framework Version2.2.4
HordeApplication Framework Version2.2.4_rc1
HordeApplication Framework Version2.2.5
HordeApplication Framework Version2.2.6
HordeApplication Framework Version3.0
HordeApplication Framework Version3.0.1
HordeApplication Framework Version3.0.2
HordeApplication Framework Version3.0.3
HordeApplication Framework Version3.0.4
HordeApplication Framework Version3.0.6
HordeApplication Framework Version3.0.7
HordeApplication Framework Version3.0.8
HordeApplication Framework Version3.0.9
HordeApplication Framework Version3.1
HordeApplication Framework Version3.1.1
HordeApplication Framework Version3.2
HordeApplication Framework Version3.2.1
HordeApplication Framework Version3.2.2
HordeApplication Framework Version3.2.3
HordeApplication Framework Version3.2.4
HordeApplication Framework Version3.3
HordeApplication Framework Version3.3.1
HordeApplication Framework Version3.3.2
HordeApplication Framework Version3.3.3
HordeApplication Framework Version3.3.4
HordeGroupware Version <= 1.2.4
HordeGroupware Version1.0
HordeGroupware Version1.0.1
HordeGroupware Version1.0.2
HordeGroupware Version1.0.3
HordeGroupware Version1.0.4
HordeGroupware Version1.0.5
HordeGroupware Version1.1
HordeGroupware Version1.1.1
HordeGroupware Version1.1.2
HordeGroupware Version1.1.3
HordeGroupware Version1.1.4
HordeGroupware Version1.1.5
HordeGroupware Version1.2
HordeGroupware Version1.2 Updaterc1
HordeGroupware Version1.2.1
HordeGroupware Version1.2.2
HordeGroupware Version1.2.3
HordeGroupware Version <= 1.2.4
HordeGroupware Version1.0
HordeGroupware Version1.0 Updaterc1
HordeGroupware Version1.0 Updaterc2
HordeGroupware Version1.0.1
HordeGroupware Version1.0.2
HordeGroupware Version1.0.3
HordeGroupware Version1.0.4
HordeGroupware Version1.0.5
HordeGroupware Version1.0.6
HordeGroupware Version1.0.7
HordeGroupware Version1.0.8
HordeGroupware Version1.1
HordeGroupware Version1.1 Updaterc1
HordeGroupware Version1.1 Updaterc2
HordeGroupware Version1.1 Updaterc3
HordeGroupware Version1.1 Updaterc4
HordeGroupware Version1.1.1
HordeGroupware Version1.1.2
HordeGroupware Version1.1.3
HordeGroupware Version1.1.4
HordeGroupware Version1.1.5
HordeGroupware Version1.1.6
HordeGroupware Version1.2
HordeGroupware Version1.2 Updaterc1
HordeGroupware Version1.2.1
HordeGroupware Version1.2.2
HordeGroupware Version1.2.3
HordeGroupware Version1.2.3 Updaterc1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.19% 0.837
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.