PT-2019-12637 · Horde+1 · Horde Trean+1

Published

2019-10-24

Updated

2020-08-24

CVE-2019-12095

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Horde Trean versions prior to 5.2.22

Description The issue allows for CSRF, as demonstrated by the treanBookmarkTags parameter to the "trean/" URI on a webmail server. It is noted that treanBookmarkTags could potentially be a stored XSS payload.

Recommendations For versions prior to 5.2.22, consider restricting access to the "trean/" URI to minimize the risk of exploitation. As a temporary workaround, avoid using the treanBookmarkTags parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

XSS

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-352

Related Identifiers

CVE-2019-12095

DLA-2033-1

Affected Products

Debian

Horde Trean

PT-2019-12637 · Horde+1 · Horde Trean+1

CVE-2019-12095

Weakness Enumeration

Related Identifiers

Affected Products

References · 22