Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-1691 — Code Injection in Php-horde-util

CWE-94 — Code Injection9 documents7 sources

Severity

7.5HIGHNVD

EPSS

81.3%

top 0.83%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Debian Php-horde-util Horde Application Framework

Timeline

PublishedApr 1

Latest updateMay 17

Description

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/php-horde-util< php-horde-util 2.3.0-1 (bookworm)

▶NVDhorde/horde_application_framework5.1.0+5

Patches

Patch: seclists.org ↗Patch: seclists.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-vrpw-h28p-3rfp: The framework/Util/lib/Horde/Variables↗2022-05-17

▶

OSV

CVE-2014-1691: The framework/Util/lib/Horde/Variables↗2014-04-01

▶

💥Exploits & PoCs

Exploit-DB

Horde Framework - Unserialize PHP Code Execution (Metasploit)↗2014-03-22

▶

Metasploit

Horde Framework Unserialize PHP Code Execution↗

▶

📋Vendor Advisories

Debian

CVE-2014-1691: php-horde-util - The framework/Util/lib/Horde/Variables.php script in the Util library in Horde b...↗2014

▶

💬Community

Bugzilla

CVE-2014-1691 horde: unserializing certain form input leads to code execution↗2014-01-28

▶

Bugzilla

CVE-2014-1691 horde: unserializing certain form input leads to code execution [fedora-all]↗2014-01-28

▶

Bugzilla

CVE-2014-1691 horde: unserializing certain form input leads to code execution [epel-all]↗2014-01-28

▶