Horde Groupware vulnerabilities
45 known vulnerabilities affecting horde/groupware.
Total CVEs
45
CISA KEV
0
Public exploits
14
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH8MEDIUM34
Vulnerabilities
Page 1 of 3
CVE-2020-8518P1CRITICALCVSS 9.8PoCv5.2.222020-02-17
CVE-2020-8518 [CRITICAL] CWE-94 CVE-2020-8518: Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
nvd
CVE-2012-0209P2HIGHCVSS 7.5PoCv1.2.102012-09-25
CVE-2012-0209 [HIGH] CWE-94 CVE-2012-0209: Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code.
nvd
CVE-2019-9858P2HIGHCVSS 8.8PoCv5.2.17v5.2.222019-05-29
CVE-2019-9858 [HIGH] CWE-22 CVE-2019-9858: Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.p
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class that handles image upload in forms. When the Horde_Form_Type_image method onSubmit() is called on uploads, it invokes the functions getImage() and _getUpload(), which uses unsanitized user input as a path to save the image. T
nvd
CVE-2017-15235P2HIGHCVSS 7.5PoCv5.2.212017-10-11
CVE-2017-15235 [HIGH] CWE-425 CVE-2017-15235: The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass
The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.
nvd
CVE-2020-8866P3MEDIUMCVSS 6.5PoCv5.2.222020-03-23
CVE-2020-8866 [MEDIUM] CWE-434 CVE-2020-8866: This vulnerability allows remote attackers to create arbitrary files on affected installations of Ho
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary
nvd
CVE-2020-8865P3MEDIUMCVSS 6.3PoCv5.2.222020-03-23
CVE-2020-8865 [MEDIUM] CWE-23 CVE-2020-8865: This vulnerability allows remote attackers to execute local PHP files on affected installations of H
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to u
nvd
CVE-2022-30287P2HIGHCVSS 8.0≤ 5.2.222022-07-28
CVE-2022-30287 [HIGH] CWE-470 CVE-2022-30287: Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects.
nvd
CVE-2017-7413P2HIGHCVSS 8.8≤ 5.2.172017-04-04
CVE-2017-7413 [HIGH] CWE-78 CVE-2017-7413: In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command I
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the attacker is an authenticated Horde Webmail user, has PGP features enabled in their preferences, and attempts to encrypt an email addressed to a maliciously crafted email address.
nvd
CVE-2013-6364P3HIGHCVSS 8.8PoCv5.1.22019-11-05
CVE-2013-6364 [HIGH] CWE-79 CVE-2013-6364: Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
nvd
CVE-2015-7984P3MEDIUMCVSS 6.8PoC≥ 5.0.0, < 5.2.112015-11-19
CVE-2015-7984 [MEDIUM] CWE-352 CVE-2015-7984: Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware be
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sq
nvd
CVE-2021-26929P3MEDIUMCVSS 6.1PoC≤ 5.2.222021-02-14
CVE-2021-26929 [MEDIUM] CWE-79 CVE-2021-26929: An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with
nvd
CVE-2013-6275P3MEDIUMCVSS 6.5PoC≤ 5.1.22019-11-05
CVE-2013-6275 [MEDIUM] CWE-352 CVE-2013-6275: Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php.
Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php.
nvd
CVE-2013-6365P4MEDIUMCVSS 5.3PoCv5.1.22019-11-05
CVE-2013-6365 [MEDIUM] CWE-352 CVE-2013-6365: Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions
Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions
nvd
CVE-2010-3695P4MEDIUMCVSS 4.3PoC≤ 1.2.6v1.0+21 more2011-03-31
CVE-2010-3695 [MEDIUM] CWE-79 CVE-2010-3695: Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde
Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration.
nvd
CVE-2009-3701P4MEDIUMCVSS 4.3PoC≤ 1.2.4v1.0+19 more2009-12-21
CVE-2009-3701 [MEDIUM] CWE-79 CVE-2009-3701: Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Applica
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admi
nvd
CVE-2008-1974P4MEDIUMCVSS 4.3PoCv1.0.52008-04-27
CVE-2008-1974 [MEDIUM] CWE-79 CVE-2008-1974: Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail
Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
nvd
CVE-2008-7218P3CRITICALCVSS 10.0v1.0v1.0.1+2 more2009-09-13
CVE-2008-7218 [CRITICAL] CVE-2008-7218: Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-R
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6 and 2.2 before 2.2-RC2; Kronolith H3 2.1 before 2.1.7 and H3 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and 2.2 before 2.2-RC2; Horde Groupware 1.0 before 1.0.3 and 1.1 before 1.
nvd
CVE-2017-7414P3HIGHCVSS 7.5v5.0.0v5.0.1+18 more2017-04-04
CVE-2017-7414 [HIGH] CWE-78 CVE-2017-7414: In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Comma
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the user has PGP features enabled in the user's preferences, and has enabled the "Should PGP signed messages be automatically verified when viewed?" preference. To exploit this vulnerability, an attacker can send a PGP signed emai
nvd
CVE-2019-12095P3HIGHCVSS 8.8≤ 5.2.222019-10-24
CVE-2019-12095 [HIGH] CWE-79 CVE-2019-12095: Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CS
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
nvd
CVE-2008-7219P4CRITICALCVSS 10.0v1.0v1.0.1+2 more2009-09-13
CVE-2008-7219 [CRITICAL] CWE-264 CVE-2008-7219: Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2
Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.1.2 and H3 2.2 before 2.2-RC2; Groupware 1.0 before 1.0.3 and 1.1 before 1.1-RC2; and Groupware Webmail Edition 1.0 before 1.0.4 and 1.1 before 1.1-RC2 does not validate ownership when performing share changes, which has
nvd
1 / 3Next →