PT-2012-2401 · Horde · Horde Groupware+2

Kurt Seifried

Published

2012-09-25

Updated

2012-09-26

CVE-2012-0209

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Horde version 3.3.12 Horde Groupware version 1.2.10 Horde Groupware Webmail Edition version 1.2.10

Description The issue allows remote attackers to execute arbitrary PHP code due to an externally introduced modification in the templates/javascript/open calendar.js file. This modification was introduced in versions distributed by FTP between November 2011 and February 2012.

Recommendations For Horde version 3.3.12, avoid using the affected open calendar.js template until a fix is available. For Horde Groupware version 1.2.10, restrict access to the vulnerable open calendar.js file to minimize the risk of exploitation. For Horde Groupware Webmail Edition version 1.2.10, consider disabling the use of the open calendar.js template temporarily as a workaround.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2012-0209

Affected Products

Horde

Horde Groupware

Horde Groupware Webmail Edition

PT-2012-2401 · Horde · Horde Groupware+2

CVE-2012-0209

Weakness Enumeration

Related Identifiers

Affected Products

References · 9