CVE-2004-1385

2004-12-3105:00:00

NVD-CWE-Other

[email protected]

web.nvd.nist.gov

cve-2004-1385

phpgroupware

remote attackers

sensitive information

session id

parameters

web server path

error message

6.8 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.018 Low

EPSS

Percentile

88.1%

JSON

phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive information via (1) unexpected characters in the session ID such as shell metacharacters, (2) an invalid appname parameter to preferences.php or (3) an invalid menuaction parameter to index.php, which reveals the web server path in an error message.

CPENameOperatorVersion
phpgroupware:phpgroupwarephpgroupwareeq0.9.14.003
phpgroupware:phpgroupwarephpgroupwareeq0.9.13
phpgroupware:phpgroupwarephpgroupwareeq0.9.14.005
phpgroupware:phpgroupwarephpgroupwareeq0.9.14.006
phpgroupware:phpgroupwarephpgroupwareeq0.9.12
phpgroupware:phpgroupwarephpgroupwareeq0.9.14
phpgroupware:phpgroupwarephpgroupwareeq0.9.16.000
phpgroupware:phpgroupwarephpgroupwareeq0.9.16.003
phpgroupware:phpgroupwarephpgroupwareeq0.9.16_rc1
phpgroupware:phpgroupwarephpgroupwareeq0.9.16.002

CPE	Name	Operator	Version
phpgroupware:phpgroupware	phpgroupware	eq	0.9.14.003
phpgroupware:phpgroupware	phpgroupware	eq	0.9.13
phpgroupware:phpgroupware	phpgroupware	eq	0.9.14.005
phpgroupware:phpgroupware	phpgroupware	eq	0.9.14.006
phpgroupware:phpgroupware	phpgroupware	eq	0.9.12
phpgroupware:phpgroupware	phpgroupware	eq	0.9.14
phpgroupware:phpgroupware	phpgroupware	eq	0.9.16.000
phpgroupware:phpgroupware	phpgroupware	eq	0.9.16.003
phpgroupware:phpgroupware	phpgroupware	eq	0.9.16_rc1
phpgroupware:phpgroupware	phpgroupware	eq	0.9.16.002