CVE-2015-8807
published 2016-04-13CVE-2015-8807: Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde…
PriorityP426medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
2.06%
79.0th percentile
Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-horde-core | < php-horde-core 2.22.4+debian0-1 (bookworm) | php-horde-core 2.22.4+debian0-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| horde | groupware | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2015-8807: php-horde-core - Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function ...
vendor_debian·2015·CVSS 6.1
CVE-2015-8807 [MEDIUM] CVE-2015-8807: php-horde-core - Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function ...
Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
Scope: local
bookworm: resolved (fixed in 2.22.4+debian0-1)
bullseye: resolved (fixed in 2.22.4+debian0-1)
sid: resolved (fixed in 2.22.4+debian0-1)
GHSA
GHSA-whm8-gjx5-crg3: Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html
ghsa_unreviewed·2022-05-14
CVE-2015-8807 [MEDIUM] CWE-79 GHSA-whm8-gjx5-crg3: Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html
Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
OSV
CVE-2015-8807: Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html
osv·2016-04-13·CVSS 6.1
CVE-2015-8807 [MEDIUM] CVE-2015-8807: Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html
Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number [fedora-all]
bugzilla·2016-02-08·CVSS 6.1
CVE-2015-8807 [MEDIUM] CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number [fedora-all]
CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number [epel-all]
bugzilla·2016-02-08·CVSS 6.1
CVE-2015-8807 [MEDIUM] CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number [epel-all]
CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
Bugzilla
CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number
bugzilla·2016-02-08·CVSS 6.1
CVE-2015-8807 [MEDIUM] CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number
CVE-2015-8807 php-horde-Horde: Cross-site scripting in _renderVarInput_number
An XSS vulnerability was found in _renderVarInput_number in Horde/Core/Ui/VarRenderer/Html.php, where input in numeric field wasn't properly escaped.
Upstream patch:
https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
CVE assignment:
http://seclists.org/oss-sec/2016/q1/292
Discussion:
Created php-horde-horde tracking bugs for this issue:
Affects: fedora-all [bug 1305598]
Affects: epel-all [bug 1305599]
---
php-horde-horde-5.2.9-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
---
php-horde-horde-5.2.9-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please mak
http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.htmlhttp://lists.horde.org/archives/announce/2016/001148.htmlhttp://lists.horde.org/archives/announce/2016/001149.htmlhttp://www.debian.org/security/2016/dsa-3496http://www.openwall.com/lists/oss-security/2016/02/06/4http://www.openwall.com/lists/oss-security/2016/02/06/5https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGEShttps://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.htmlhttp://lists.horde.org/archives/announce/2016/001148.htmlhttp://lists.horde.org/archives/announce/2016/001149.htmlhttp://www.debian.org/security/2016/dsa-3496http://www.openwall.com/lists/oss-security/2016/02/06/4http://www.openwall.com/lists/oss-security/2016/02/06/5https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGEShttps://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
2016-04-13
Published