CVE-2009-3701

Name of the Vulnerable Software and Affected Versions Horde Application Framework versions prior to 3.3.6 Horde Groupware versions prior to 1.2.5 Horde Groupware Webmail Edition versions prior to 1.2.5

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the administration interface. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the PATH INFO to specific PHP files, including phpshell.php, cmdshell.php, or sqlshell.php in the admin/ directory. The issue is related to the PHP SELF variable.

Recommendations For Horde Application Framework versions prior to 3.3.6, update to version 3.3.6 or later. For Horde Groupware versions prior to 1.2.5, update to version 1.2.5 or later. For Horde Groupware Webmail Edition versions prior to 1.2.5, update to version 1.2.5 or later.