CVE-2010-3694
published 2010-11-09CVE-2010-3694: Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of…
PriorityP425medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
0.62%
45.2th percentile
Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form.
Affected
58 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| horde | horde_application_framework | <= 3.3.8 | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
| horde | horde_application_framework | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2010-3077 CVE-2010-3694 Horde: multiple flaws correct in 3.3.9 [fedora-all]
bugzilla·2010-09-06·CVSS 4.3
CVE-2010-3077 [MEDIUM] CVE-2010-3077 CVE-2010-3694 Horde: multiple flaws correct in 3.3.9 [fedora-all]
CVE-2010-3077 CVE-2010-3694 Horde: multiple flaws correct in 3.3.9 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=630687
Please note: this issue affects mul
Bugzilla
CVE-2010-3077 CVE-2010-3694 Horde: multiple flaws correct in 3.3.9
bugzilla·2010-09-06·CVSS 4.3
CVE-2010-3077 [MEDIUM] CVE-2010-3077 CVE-2010-3694 Horde: multiple flaws correct in 3.3.9
CVE-2010-3077 CVE-2010-3694 Horde: multiple flaws correct in 3.3.9
Moritz Naumann reported:
[1] http://seclists.org/fulldisclosure/2010/Sep/82
a deficiency in the way Horde framework sanitized user-provided
'subdir' parameter, when composing final path to the image file.
A remote, unauthenticated user could use this flaw to conduct
cross-site scripting attacks (execute arbitrary HTML or scripting
code) by providing a specially-crafted URL to the running
Horde framework instance.
Upstream patch:
[2] http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9
Sample public URL by Moritz to demonstrate the issue:
[3] [path_to_horde]/util/icon_browser.php?subdir=&app=horde
Discussion:
This
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.htmlhttp://lists.horde.org/archives/announce/2010/000557.htmlhttp://secunia.com/advisories/42140https://bugzilla.redhat.com/show_bug.cgi?id=630687http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050408.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050423.htmlhttp://lists.horde.org/archives/announce/2010/000557.htmlhttp://secunia.com/advisories/42140https://bugzilla.redhat.com/show_bug.cgi?id=630687
2010-11-09
Published