Executive Summary
| Summary | |
|---|---|
| Title | New phpgroupware package fix several vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | DSA-365 | First vendor Publication | 2003-08-05 |
| Vendor | Debian | Last vendor Modification | 2003-08-05 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Several vulnerabilities have been discovered in phpgroupware: - - CAN-2003-0504: Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware 0.9.14.003 (aka webdistro) allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to index.php in the addressbook module. - - CAN-2003-0599: Unknown vulnerability in the Virtual File System (VFS) capability for phpGroupWare 0.9.16preRC and versions before 0.9.14.004 with unknown implications, related to the VFS path being under the web document root. - - CAN-2003-0657: Multiple SQL injection vulnerabilities in the infolog module of phpgroupware could allow remote attackers to execute arbitrary SQL statements. For the stable distribution (woody), these problems have been fixed in version 0.9.14-0.RC3.2.woody2. For the unstable distribution (sid), these problems will be fixed soon. Refer to Debian bug #201980. We recommend that you update your phpgroupware package. |
Original Source
| Url : http://www.debian.org/security/2003/dsa-365 |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 365-1 (phpgroupware) File : nvt/deb_365_1.nasl |
| 2005-11-03 | Name : PhpGroupWare multiple HTML injection vulnerabilities File : nvt/phpgroupware_html_injection.nasl |
| 2005-11-03 | Name : PhpGroupWare unspecified remote file include vulnerability File : nvt/phpgroupware_remote_file_include.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 6859 | phpGroupWare Infolog Module Multiple Parameter SQL Injection phpGroupWare contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that variables in the 'infolog' module are not verified properly and will allow a remote attacker to inject or manipulate SQL queries. No further details have been provided. |
| 6858 | phpGroupWare Virtual File System Unspecified Issue phpGroupware contains a flaw related to the Virtual Files System (VFS). No further details have been provided. |
| 2243 | phpGroupWare index.php Addressbook XSS phpGroupWare contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate various Addressbook variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-365.nasl - Type : ACT_GATHER_INFO |
| 2004-08-17 | Name : A remote web application is vulnerable to multiple cross-site scripting attacks. File : phpgroupware_html_injection.nasl - Type : ACT_ATTACK |
| 2004-07-31 | Name : The remote Mandrake Linux host is missing a security update. File : mandrake_MDKSA-2003-077.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:32:50 |
|
