Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-7984 — Cross-Site Request Forgery in Groupware

CWE-352 — Cross-Site Request Forgery CWE-79 — Cross-site Scripting10 documents6 sources

Severity

6.8MEDIUMNVD

NVD5.4

EPSS

1.1%

top 21.67%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Horde Groupware Horde Application Framework Debian Php-horde +2 more

Timeline

PublishedNov 19

Latest updateMay 13

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages4 packages

▶NVDhorde/groupware5.0.0 — 5.2.11+1

▶debiandebian/php-horde< php-horde 5.2.8+debian0-1 (bookworm)

▶debiandebian/php-horde-kronolith< php-horde-kronolith 4.2.24-1 (bookworm)

▶NVDhorde/horde_application_framework5.0.0 — 5.2.8

Also affects: Debian Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-jcj5-4c5g-3958: Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5↗2022-05-13

▶

GHSA

GHSA-fcjx-8hh3-f9hr: In Horde Groupware 5↗2022-05-13

▶

OSV

CVE-2017-16908: In Horde Groupware 5↗2017-11-20

▶

OSV

CVE-2015-7984: Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5↗2015-11-19

▶

💥Exploits & PoCs

Exploit-DB

Horde Groupware 5.2.10 - Cross-Site Request Forgery↗2015-11-19

▶

📋Vendor Advisories

Debian

CVE-2017-16908: php-horde-kronolith - In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a ...↗2017

▶

Debian

CVE-2015-7984: php-horde - Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8...↗2015

▶

💬Community

Bugzilla

CVE-2017-16906 CVE-2017-16907 CVE-2017-16908 php-horde-horde: Multiple vulnerabilities↗2017-11-21

▶