6.1
CVE-2020-8034
- EPSS 0.97%
- Veröffentlicht 18.05.2020 17:15:11
- Zuletzt bearbeitet 21.11.2024 05:38:15
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.97% | 0.574 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES
https://github.com/horde/gollem/commits/master
https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html
https://lists.horde.org/archives/announce/2020/001289.html
https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html