Skip to main content

Groupware CVE-2017-16908

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2017-11-20 cve@mitre.org
5.4
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 20, 2017 - 20:29 cve.org
MEDIUM 5.4

DescriptionCVE.org

In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.

AnalysisAI

In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed. Affected products include: Horde Groupware.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2012-0209 HIGH POC
7.5 Sep 25

Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November

CVE-2020-8518 CRITICAL POC
9.8 Feb 17

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execu

CVE-2019-9858 HIGH POC
8.8 May 29

Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Rated high severity (CVSS 8.8), this

CVE-2017-15235 HIGH POC
7.5 Oct 11

The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication

CVE-2019-12095 HIGH POC
8.8 Oct 24

Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated

CVE-2022-30287 HIGH POC
8.0 Jul 28

Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instan

CVE-2017-7413 HIGH
8.8 Apr 04

In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur i

CVE-2015-7984 MEDIUM POC
6.8 Nov 19

Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Hor

CVE-2020-8866 MEDIUM POC
6.5 Mar 23

This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmai

CVE-2020-8865 MEDIUM POC
6.3 Mar 23

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webma

CVE-2015-8807 MEDIUM POC
6.1 Apr 13

Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/U

CVE-2016-2228 MEDIUM POC
6.1 Apr 13

Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 an

Share

CVE-2017-16908 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy