CVE-2017-16908 — Cross-site Scripting in Groupware

CWE-79 — Cross-site Scripting8 documents6 sources

Severity

5.4MEDIUMNVD

CNA6.8OSV6.8

EPSS

0.5%

top 35.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Horde Groupware

Timeline

PublishedNov 20

Latest updateMay 13

Description

In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

▶NVDhorde/groupware5.2.19

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fcjx-8hh3-f9hr: In Horde Groupware 5↗2022-05-13

▶

CVEList

CVE-2017-16908: In Horde Groupware 5↗2017-11-20

▶

OSV

CVE-2017-16908: In Horde Groupware 5↗2017-11-20

▶

📋Vendor Advisories

Debian

CVE-2017-16908: php-horde-kronolith - In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a ...↗2017

▶

💬Community

Bugzilla

CVE-2017-16906 CVE-2017-16907 CVE-2017-16908 php-horde-horde: Multiple vulnerabilities [fedora-all]↗2017-11-21

▶

Bugzilla

CVE-2017-16906 CVE-2017-16907 CVE-2017-16908 php-horde-horde: Multiple vulnerabilities [epel-all]↗2017-11-21

▶

Bugzilla

CVE-2017-16906 CVE-2017-16907 CVE-2017-16908 php-horde-horde: Multiple vulnerabilities↗2017-11-21

▶