CVE-2006-3549 — Application Framework vulnerability

2 documents2 sources

Severity

5.0MEDIUMNVD

EPSS

1.8%

top 17.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Horde Application Framework

Timeline

PublishedJul 13

Latest updateMay 1

Description

services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDhorde/horde_application_framework13 versions+12

Patches

Patch: lists.horde.org ↗Patch: lists.horde.org ↗

🔴Vulnerability Details

GHSA

GHSA-3w95-3q7c-6v47: services/go↗2022-05-01

▶