cbcvebase.
CVE-2015-7984
published 2015-11-19

CVE-2015-7984: Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before…

PriorityP345medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
4.12%
89.5th percentile
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphp-horde< php-horde 5.2.8+debian0-1 (bookworm)php-horde 5.2.8+debian0-1 (bookworm)
debianphp-horde-kronolith< php-horde-kronolith 4.2.24-1 (bookworm)php-horde-kronolith 4.2.24-1 (bookworm)
hordegroupware
hordegroupware>= 5.0.0 < 5.2.115.2.11
hordehorde_application_framework>= 5.0.0 < 5.2.85.2.8

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.