CVE-2008-0807Groupware vulnerability

CWE-2644 documents4 sources
Severity
4.9MEDIUMNVD
EPSS
0.6%
top 29.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Horde GroupwareHorde Groupware Webmail EditionHorde Turba Contact Manager
Timeline
PublishedFeb 19
Latest updateMay 1

Description

lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages3 packages

NVDhorde/groupware1.0.3

Patches

Patch: lists.horde.orgPatch: lists.horde.orgPatch: lists.horde.org

🔴Vulnerability Details

1
GHSA
GHSA-vv7v-g229-vwgh: lib/Driver/sql2022-05-01

📋Vendor Advisories

1
Red Hat
turba: insufficient access checks2008-02-04

💬Community

1
Bugzilla
CVE-2008-0807 turba: insufficient access checks2008-02-08