This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Horde First view 2006-03-29
Product Application Framework Last view 2009-12-21
Version 3.1 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:horde:application_framework

Activity : Overall

Related : CVE

  Date Alert Description
4.3 2009-12-21 CVE-2009-4363

Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."

4.3 2009-12-21 CVE-2009-3701

Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.

4.3 2006-08-21 CVE-2006-4256

index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could be useful for phishing attacks, via a URL in the url parameter, aka "cross-site referencing." NOTE: some sources have referred to this issue as XSS, but it is different than classic XSS.

7.5 2006-03-29 CVE-2006-1491

Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attackers to execute arbitrary code via the help viewer.

CWE : Common Weakness Enumeration

%idName
66% (2) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
33% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')

Open Source Vulnerability Database (OSVDB)

id Description
61338 Horde Xss.php Filter Bypass data:// URI XSS
61304 Horde Administration Interface admin/sqlshell.php PATH_INFO Parameter XSS
61303 Horde Administration Interface admin/cmdshell.php PATH_INFO Parameter XSS
61043 Horde Administration Interface admin/phpshell.php PATH_INFO Parameter XSS
27982 Horde index.php Cross Frame Content Loading
27981 Horde search.php Multiple Field XSS
24322 Horde Help Viewer Arbitrary Code Execution

ExploitDB Exploits

id Description
10512 Horde 3.3.5 "PHP_SELF" XSS vulnerability

OpenVAS Exploits

id Description
2010-04-06 Name : Fedora Update for horde FEDORA-2010-5483
File : nvt/gb_fedora_2010_5483_horde_fc11.nasl
2010-04-06 Name : Fedora Update for horde FEDORA-2010-5520
File : nvt/gb_fedora_2010_5520_horde_fc12.nasl
2010-01-11 Name : Debian Security Advisory DSA 1966-1 (horde3)
File : nvt/deb_1966_1.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200604-02 (horde)
File : nvt/glsa_200604_02.nasl
2008-09-04 Name : FreeBSD Ports: horde, horde-php5
File : nvt/freebsd_horde5.nasl
2008-09-04 Name : FreeBSD Ports: horde
File : nvt/freebsd_horde8.nasl
2008-01-17 Name : Debian Security Advisory DSA 1033-1 (horde3)
File : nvt/deb_1033_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1034-1 (horde2)
File : nvt/deb_1034_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1406-1 (horde3)
File : nvt/deb_1406_1.nasl

Snort® IPS/IDS

Date Description
2014-01-10 horde help module arbitrary command execution attempt
RuleID : 6403 - Type : SERVER-WEBAPP - Revision : 14

Nessus® Vulnerability Scanner

id Description
2010-07-01 Name: The remote Fedora host is missing a security update.
File: fedora_2010-5483.nasl - Type: ACT_GATHER_INFO
2010-07-01 Name: The remote Fedora host is missing a security update.
File: fedora_2010-5520.nasl - Type: ACT_GATHER_INFO
2010-07-01 Name: The remote Fedora host is missing a security update.
File: fedora_2010-5563.nasl - Type: ACT_GATHER_INFO
2010-02-24 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-1966.nasl - Type: ACT_GATHER_INFO
2010-02-15 Name: The remote openSUSE host is missing a security update.
File: suse_11_0_horde-100210.nasl - Type: ACT_GATHER_INFO
2007-11-12 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-1406.nasl - Type: ACT_GATHER_INFO
2006-10-14 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-1033.nasl - Type: ACT_GATHER_INFO
2006-10-14 Name: The remote Debian host is missing a security-related update.
File: debian_DSA-1034.nasl - Type: ACT_GATHER_INFO
2006-08-21 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_e2e8d3742e4011dbb6830008743bf21a.nasl - Type: ACT_GATHER_INFO
2006-05-13 Name: The remote FreeBSD host is missing one or more security-related updates.
File: freebsd_pkg_2db97aa6be8111da9b820050bf27ba24.nasl - Type: ACT_GATHER_INFO
2006-04-08 Name: The remote Gentoo host is missing one or more security-related patches.
File: gentoo_GLSA-200604-02.nasl - Type: ACT_GATHER_INFO
2006-03-29 Name: The remote web server contains a PHP application that allows execution of arb...
File: horde_help_viewer_code_exec.nasl - Type: ACT_ATTACK