CVE-2013-6364
published 2019-11-05CVE-2013-6364: Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
2.08%
79.2th percentile
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php-horde | < php-horde-turba 4.1.3-1 (bookworm) | php-horde-turba 4.1.3-1 (bookworm) |
| debian | php-horde-turba | < php-horde-turba 4.1.3-1 (bookworm) | php-horde-turba 4.1.3-1 (bookworm) |
| horde | groupware | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2013-6364: php-horde - Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual...
vendor_debian·2013·CVSS 8.8
CVE-2013-6364 [HIGH] CVE-2013-6364: php-horde - Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual...
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
Scope: local
bookworm: resolved
bullseye: resolved
sid: resolved
GHSA
GHSA-m8j4-9m2h-p788: Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
ghsa_unreviewed·2022-05-24
CVE-2013-6364 [MEDIUM] GHSA-m8j4-9m2h-p788: Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
OSV
CVE-2013-6364: Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
osv·2019-11-05·CVSS 8.8
CVE-2013-6364 [HIGH] CVE-2013-6364: Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
No detection rules found.
Bugzilla
CVE-2013-6364 CVE-2013-6365 horde: various flaws [epel-all]
bugzilla·2013-11-04·CVSS 8.8
CVE-2013-6364 [HIGH] CVE-2013-6364 CVE-2013-6365 horde: various flaws [epel-all]
CVE-2013-6364 CVE-2013-6365 horde: various flaws [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple
Bugzilla
CVE-2013-6364 horde: XSS and CSRF via saving search as virtual address book
bugzilla·2013-11-04·CVSS 8.8
CVE-2013-6364 [HIGH] CVE-2013-6364 horde: XSS and CSRF via saving search as virtual address book
CVE-2013-6364 horde: XSS and CSRF via saving search as virtual address book
A CSRF flaw and an XSS flaw ware reported [1],[2] in the way Horde Groupware handled saving searches as virtual address book. An attacker could launch a CRSF attack to have the victim save malicious code in the "save search" which would then make it vulnerable to an XSS attack.
This has been fixed in git. [3]
[1] http://www.securityfocus.com/archive/1/529589
[2] http://bugs.horde.org/ticket/12803
[3] https://github.com/horde/horde/commit/74f9add4ad86c29b608270e33b17426163b3c8cf
Discussion:
Created horde tracking bugs for this issue:
Affects: fedora-all [bug 1026494]
Affects: epel-all [bug 1026496]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a packag
Bugzilla
CVE-2013-6364 CVE-2013-6365 horde: various flaws [fedora-all]
bugzilla·2013-11-04·CVSS 8.8
CVE-2013-6364 [HIGH] CVE-2013-6364 CVE-2013-6365 horde: various flaws [fedora-all]
CVE-2013-6364 CVE-2013-6365 horde: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple su
http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.htmlhttp://www.exploit-db.com/exploits/29519https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364https://security-tracker.debian.org/tracker/CVE-2013-6364https://www.securityfocus.com/archive/1/529589http://archives.neohapsis.com/archives/bugtraq/2013-11/0012.htmlhttp://www.exploit-db.com/exploits/29519https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6364https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-6364https://security-tracker.debian.org/tracker/CVE-2013-6364https://www.securityfocus.com/archive/1/529589
2019-11-05
Published