Horde

Groupware

45 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2019-12095

Exploit
  • EPSS 0.48%
  • Published 24.10.2019 18:15:11
  • Last modified 21.11.2024 04:22:11

Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored ...

6.1

CVE-2019-12094

Exploit
  • EPSS 0.95%
  • Published 24.10.2019 17:15:12
  • Last modified 21.11.2024 04:22:11

Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.

8.8

CVE-2019-9858

Exploit
  • EPSS 80.41%
  • Published 29.05.2019 17:29:00
  • Last modified 21.11.2024 04:52:27

Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes t...

5.4

CVE-2017-16908

Exploit
  • EPSS 0.46%
  • Published 20.11.2017 20:29:00
  • Last modified 20.04.2025 01:37:25

In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be...

5.4

CVE-2017-16907

Exploit
  • EPSS 0.23%
  • Published 20.11.2017 20:29:00
  • Last modified 20.04.2025 01:37:25

In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.

5.4

CVE-2017-16906

Exploit
  • EPSS 0.25%
  • Published 20.11.2017 20:29:00
  • Last modified 20.04.2025 01:37:25

In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.

7.5

CVE-2017-15235

Exploit
  • EPSS 12.69%
  • Published 11.10.2017 03:29:00
  • Last modified 20.04.2025 01:37:25

The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.

7.5

CVE-2017-7414

  • EPSS 1.3%
  • Published 04.04.2017 14:59:00
  • Last modified 20.04.2025 01:37:25

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automaticall...

9

CVE-2017-7413

  • EPSS 18.48%
  • Published 04.04.2017 14:59:00
  • Last modified 20.04.2025 01:37:25

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an e...

6.1

CVE-2016-5303

  • EPSS 0.36%
  • Published 20.12.2016 22:59:00
  • Last modified 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1)...