Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2009-3701 — Cross-site Scripting in Application Framework
Severity
4.3MEDIUMNVD
EPSS
2.2%
top 15.59%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedDec 21
Latest updateMay 2
Description
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.
CVSS vector
AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9
Affected Packages2 packages
Patches
🔴Vulnerability Details
1GHSA▶
GHSA-pfm3-37qv-rm2q: Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3↗2022-05-02