CVE-2022-26874 — Cross-site Scripting in Mime Viewer

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 45.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Horde Mime Viewer Debian Php-horde-mime-viewer Debian Linux

Timeline

PublishedMar 11

Latest updateMar 12

Description

lib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via an OpenOffice document, leading to account takeover in Horde Groupware Webmail Edition. This occurs after XSLT rendering.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDhorde/horde_mime_viewer< 2.2.4

▶debiandebian/php-horde-mime-viewer< php-horde-mime-viewer 2.2.4+debian0-1 (bookworm)

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-q622-5f2g-fmg6: lib/Horde/Mime/Viewer/Ooo↗2022-03-12

▶

OSV

CVE-2022-26874: lib/Horde/Mime/Viewer/Ooo↗2022-03-11

▶

📋Vendor Advisories

Debian

CVE-2022-26874: php-horde-mime-viewer - lib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via a...↗2022

▶