CVE-2005-4190 — Cross-site Scripting in Application Framework

CWE-79 — Cross-site Scripting2 documents2 sources

Severity

3.5LOWNVD

EPSS

0.8%

top 25.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Horde Application Framework

Timeline

PublishedDec 13

Latest updateMay 1

Description

Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework before 3.0.8 allow remote authenticated users to inject arbitrary web script or HTML via multiple vectors, as demonstrated by (1) the identity field, (2) Category and (3) Label search fields, (4) the Mobile Phone field, and (5) Date and (6) Time fields when importing CSV files, as exploited through modules such as (a) Turba Address Book, (b) Kronolith, (c) Mnemo, and (d) Nag.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages1 packages

▶NVDhorde/horde_application_framework43 versions+42

Patches

Patch: lists.horde.org ↗Patch: secunia.com ↗Patch: lists.horde.org ↗

🔴Vulnerability Details

GHSA

GHSA-22x4-mg72-m2h8: Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework before 3↗2022-05-01

▶