cbcvebase.

Horde Groupware vulnerabilities

45 known vulnerabilities affecting horde/groupware.

Total CVEs
45
CISA KEV
0
Public exploits
14
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH8MEDIUM34

Vulnerabilities

Page 2 of 3
CVE-2025-41066P3MEDIUMCVSS 5.3v5.2.222025-12-02
CVE-2025-41066 [MEDIUM] CWE-200 CVE-2025-41066: Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of valid accounts on the system. To exploit the vulnerability, an HTTP request must be sent to ‘/imp/attachment.php’ including the parameters ‘id’ and ‘u’. If the specified user exists, the server will return the download o
nvd
CVE-2008-1284P4MEDIUMCVSS 6.0≤ 1.0.42008-03-11
CVE-2008-1284 [MEDIUM] CWE-22 CVE-2008-1284: Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edit Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.
nvd
CVE-2009-3236P4MEDIUMCVSS 4.3v1.1v1.1.1+8 more2009-09-17
CVE-2009-3236 [MEDIUM] CVE-2009-3236: The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary fil
nvd
CVE-2017-16908P4MEDIUMCVSS 5.4v5.2.192017-11-20
CVE-2017-16908 [MEDIUM] CVE-2017-16908: In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This c In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
nvd
CVE-2015-8807P4MEDIUMCVSS 6.1v5.2.112016-04-13
CVE-2015-8807 [MEDIUM] CWE-79 CVE-2015-8807: Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/C Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
nvd
CVE-2016-2228P4MEDIUMCVSS 6.1≤ 5.2.112016-04-13
CVE-2016-2228 [MEDIUM] CWE-79 CVE-2016-2228: Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupw Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php.
nvd
CVE-2020-8035P4MEDIUMCVSS 6.1fixed in 5.2.222020-05-18
CVE-2020-8035 [MEDIUM] CWE-79 CVE-2020-8035: The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a store The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
nvd
CVE-2019-12094P4MEDIUMCVSS 6.1≤ 5.2.222019-10-24
CVE-2019-12094 [MEDIUM] CWE-79 CVE-2019-12094: Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_n Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.
nvd
CVE-2016-5303P4MEDIUMCVSS 6.1v5.2.152016-12-20
CVE-2016-5303 [MEDIUM] CWE-79 CVE-2016-5303: Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde G Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.
nvd
CVE-2020-8034P4MEDIUMCVSS 6.1v5.2.222020-05-18
CVE-2020-8034 [MEDIUM] CWE-79 CVE-2020-8034: Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affec Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
nvd
CVE-2008-0807P4MEDIUMCVSS 4.9v1.0.32008-02-19
CVE-2008-0807 [MEDIUM] CWE-264 CVE-2008-0807: lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edi
nvd
CVE-2017-16906P4MEDIUMCVSS 5.4≥ 5.2.19, ≤ 5.2.222017-11-20
CVE-2017-16906 [MEDIUM] CWE-79 CVE-2017-16906: In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
nvd
CVE-2017-16907P4MEDIUMCVSS 5.4v5.2.19v5.2.212017-11-20
CVE-2017-16907 [MEDIUM] CWE-79 CVE-2017-16907: In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action. In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
nvd
CVE-2007-0579P4MEDIUMCVSS 5.1v1.0_rc2v1.0_rc32007-01-30
CVE-2007-0579 [MEDIUM] CVE-2007-0579: Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, a Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information.
nvd
CVE-2012-5567P4MEDIUMCVSS 4.3≤ 4.0.8v4.0+7 more2014-04-05
CVE-2012-5567 [MEDIUM] CWE-79 CVE-2012-5567: Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 befor Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1) month, (2) monthlist, or (3) prevmonthlist fields, related to portal blocks.
nvd
CVE-2012-6640P4MEDIUMCVSS 4.3≤ 4.0.8v4.0+7 more2014-04-05
CVE-2012-6640 [MEDIUM] CVE-2012-6640: Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than CVE-2012-5565.
nvd
CVE-2012-5565P4MEDIUMCVSS 4.3≤ 4.0.8v4.0+7 more2014-04-05
CVE-2012-5565 [MEDIUM] CWE-79 CVE-2012-5565: Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file, related to the dynamic view.
nvd
CVE-2010-3693P4MEDIUMCVSS 4.3≤ 1.2.6v1.0+21 more2011-04-04
CVE-2010-3693 [MEDIUM] CWE-79 CVE-2010-3693: Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupwa Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names.
nvd
CVE-2012-5566P4MEDIUMCVSS 4.3≤ 4.0.7v4.0+6 more2014-04-05
CVE-2012-5566 [MEDIUM] CWE-79 CVE-2012-5566: Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 befor Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view.
nvd
CVE-2009-3237P4MEDIUMCVSS 4.3v1.1v1.1.1+8 more2009-09-17
CVE-2009-3237 [MEDIUM] CWE-79 CVE-2009-3237: Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not p
nvd
Horde Groupware vulnerabilities | cvebase