4.3

CVE-2009-4363

Exploit

Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message.  NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."

Data is provided by the National Vulnerability Database (NVD)
HordeApplication Framework Version <= 3.3.5
HordeApplication Framework Version2.0
HordeApplication Framework Version2.1
HordeApplication Framework Version2.1.3
HordeApplication Framework Version2.2
HordeApplication Framework Version2.2.1
HordeApplication Framework Version2.2.3
HordeApplication Framework Version2.2.4
HordeApplication Framework Version2.2.4_rc1
HordeApplication Framework Version2.2.5
HordeApplication Framework Version2.2.6
HordeApplication Framework Version3.0
HordeApplication Framework Version3.0.1
HordeApplication Framework Version3.0.2
HordeApplication Framework Version3.0.3
HordeApplication Framework Version3.0.4
HordeApplication Framework Version3.0.6
HordeApplication Framework Version3.0.7
HordeApplication Framework Version3.0.8
HordeApplication Framework Version3.0.9
HordeApplication Framework Version3.1
HordeApplication Framework Version3.1.1
HordeApplication Framework Version3.2
HordeApplication Framework Version3.2.1
HordeApplication Framework Version3.2.2
HordeApplication Framework Version3.2.3
HordeApplication Framework Version3.2.4
HordeApplication Framework Version3.3
HordeApplication Framework Version3.3.1
HordeApplication Framework Version3.3.2
HordeApplication Framework Version3.3.3
HordeApplication Framework Version3.3.4
HordeGroupware Version <= 1.2.4
HordeGroupware Version1.0
HordeGroupware Version1.0.1
HordeGroupware Version1.0.2
HordeGroupware Version1.0.3
HordeGroupware Version1.0.4
HordeGroupware Version1.0.5
HordeGroupware Version1.1
HordeGroupware Version1.1.1
HordeGroupware Version1.1.2
HordeGroupware Version1.1.3
HordeGroupware Version1.1.4
HordeGroupware Version1.1.5
HordeGroupware Version1.2
HordeGroupware Version1.2 Updaterc1
HordeGroupware Version1.2.1
HordeGroupware Version1.2.2
HordeGroupware Version1.2.3
HordeGroupware Version <= 1.2.4
HordeGroupware Version1.0
HordeGroupware Version1.0 Updaterc1
HordeGroupware Version1.0 Updaterc2
HordeGroupware Version1.0.1
HordeGroupware Version1.0.2
HordeGroupware Version1.0.3
HordeGroupware Version1.0.4
HordeGroupware Version1.0.5
HordeGroupware Version1.0.6
HordeGroupware Version1.0.7
HordeGroupware Version1.0.8
HordeGroupware Version1.1
HordeGroupware Version1.1 Updaterc1
HordeGroupware Version1.1 Updaterc2
HordeGroupware Version1.1 Updaterc3
HordeGroupware Version1.1 Updaterc4
HordeGroupware Version1.1.1
HordeGroupware Version1.1.2
HordeGroupware Version1.1.3
HordeGroupware Version1.1.4
HordeGroupware Version1.1.5
HordeGroupware Version1.1.6
HordeGroupware Version1.2
HordeGroupware Version1.2 Updaterc1
HordeGroupware Version1.2.1
HordeGroupware Version1.2.2
HordeGroupware Version1.2.3
HordeGroupware Version1.2.3 Updaterc1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.48% 0.621
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.