PT-2009-5960 · Horde · Horde Application Framework+2

Daniel Fernã¡Ndez Bleda

+1

·

Publicado

2009-12-21

·

Atualizado

2019-06-18

·

CVE-2009-3701

CVSS v2.0

4.3

Média

VetorAV:N/AC:M/Au:N/C:N/I:P/A:N
Name of the Vulnerable Software and Affected Versions Horde Application Framework versions prior to 3.3.6 Horde Groupware versions prior to 1.2.5 Horde Groupware Webmail Edition versions prior to 1.2.5
Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the administration interface. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the PATH INFO to specific PHP files, including phpshell.php, cmdshell.php, or sqlshell.php in the admin/ directory. The issue is related to the PHP SELF variable.
Recommendations For Horde Application Framework versions prior to 3.3.6, update to version 3.3.6 or later. For Horde Groupware versions prior to 1.2.5, update to version 1.2.5 or later. For Horde Groupware Webmail Edition versions prior to 1.2.5, update to version 1.2.5 or later.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2009-3701
DSA-1966-1

Produtos afetados

Horde Application Framework
Horde Groupware
Horde Groupware Webmail Edition