Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-1974 — Cross-site Scripting in Groupware

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

2.2%

top 15.73%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Horde Groupware Horde Groupware Webmail Edition

Timeline

PublishedApr 27

Latest updateMay 1

Description

Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDhorde/groupware_webmail_edition1.0.6

▶NVDhorde/groupware1.0.5

🔴Vulnerability Details

GHSA

GHSA-249v-v545-hw42: Cross-site scripting (XSS) vulnerability in addevent↗2022-05-01

▶

💥Exploits & PoCs

Exploit-DB

Horde Webmail 1.0.6 - 'addevent.php' Cross-Site Scripting↗2008-04-23

▶

📋Vendor Advisories

Red Hat

kronolith: XSS in addevent.php↗2008-04-22

▶

💬Community

Bugzilla

CVE-2008-1974 kronolith: XSS in addevent.php↗2008-04-28

▶