Horde

Groupware

45 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2019-12095

Exploit
  • EPSS 0.48%
  • Veröffentlicht 24.10.2019 18:15:11
  • Zuletzt bearbeitet 21.11.2024 04:22:11

Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored ...

6.1

CVE-2019-12094

Exploit
  • EPSS 0.95%
  • Veröffentlicht 24.10.2019 17:15:12
  • Zuletzt bearbeitet 21.11.2024 04:22:11

Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.

8.8

CVE-2019-9858

Exploit
  • EPSS 80.41%
  • Veröffentlicht 29.05.2019 17:29:00
  • Zuletzt bearbeitet 21.11.2024 04:52:27

Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes t...

5.4

CVE-2017-16908

Exploit
  • EPSS 0.46%
  • Veröffentlicht 20.11.2017 20:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be...

5.4

CVE-2017-16907

Exploit
  • EPSS 0.23%
  • Veröffentlicht 20.11.2017 20:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.

5.4

CVE-2017-16906

Exploit
  • EPSS 0.25%
  • Veröffentlicht 20.11.2017 20:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.

7.5

CVE-2017-15235

Exploit
  • EPSS 12.69%
  • Veröffentlicht 11.10.2017 03:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.

7.5

CVE-2017-7414

  • EPSS 1.3%
  • Veröffentlicht 04.04.2017 14:59:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automaticall...

9

CVE-2017-7413

  • EPSS 18.48%
  • Veröffentlicht 04.04.2017 14:59:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an e...

6.1

CVE-2016-5303

  • EPSS 0.36%
  • Veröffentlicht 20.12.2016 22:59:00
  • Zuletzt bearbeitet 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1)...