ID CVE-2007-1515Type cveReporter cve@mitre.orgModified 2018-10-16T16:38:00
Description
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information.
{"id": "CVE-2007-1515", "bulletinFamily": "NVD", "title": "CVE-2007-1515", "description": "Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information.", "published": "2007-03-20T10:19:00", "modified": "2018-10-16T16:38:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1515", "reporter": "cve@mitre.org", "references": ["http://lists.horde.org/archives/announce/2007/000316.html", "http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052977.html", "http://www.securitytracker.com/id?1017774", "http://www.securityfocus.com/bid/22975", "http://secunia.com/advisories/24541", "http://www.securityfocus.com/archive/1/462914/100/0/threaded", "http://www.vupen.com/english/advisories/2007/0964"], "cvelist": ["CVE-2007-1515"], "type": "cve", "lastseen": "2021-02-02T05:31:22", "edition": 6, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:34079", "OSVDB:34078"]}, {"type": "exploitdb", "idList": ["EDB-ID:29742"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7414"]}], "modified": "2021-02-02T05:31:22", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2021-02-02T05:31:22", "rev": 2}, "vulnersScore": 5.1}, "cpe": ["cpe:/a:horde:imp:4.1.3"], "affectedSoftware": [{"cpeName": "horde:imp", "name": "horde imp", "operator": "le", "version": "4.1.3"}], "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "cpe23": ["cpe:2.3:a:horde:imp:4.1.3:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:horde:imp:4.1.3:*:*:*:*:*:*:*", "versionEndIncluding": "4.1.3", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "22975", "refsource": "BID", "tags": [], "url": "http://www.securityfocus.com/bid/22975"}, {"name": "[announce] 20070314 IMP H3 (4.1.4) (final)", "refsource": "MLIST", "tags": ["Patch", "Vendor Advisory"], "url": "http://lists.horde.org/archives/announce/2007/000316.html"}, {"name": "ADV-2007-0964", "refsource": "VUPEN", "tags": [], "url": "http://www.vupen.com/english/advisories/2007/0964"}, {"name": "20070315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues", "refsource": "FULLDISC", "tags": ["Vendor Advisory", "Exploit"], "url": "http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052977.html"}, {"name": "24541", "refsource": "SECUNIA", "tags": [], "url": "http://secunia.com/advisories/24541"}, {"name": "1017774", "refsource": "SECTRACK", "tags": [], "url": "http://www.securitytracker.com/id?1017774"}, {"name": "20070315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues", "refsource": "BUGTRAQ", "tags": [], "url": "http://www.securityfocus.com/archive/1/462914/100/0/threaded"}]}
{"osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "cvelist": ["CVE-2007-1515"], "description": "## Solution Description\nUpgrade to version 4.1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nSecurity Tracker: 1017774\n[Secunia Advisory ID:24541](https://secuniaresearch.flexerasoftware.com/advisories/24541/)\n[Related OSVDB ID: 34079](https://vulners.com/osvdb/OSVDB:34079)\nOther Advisory URL: http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052977.html\nOther Advisory URL: http://lists.horde.org/archives/announce/2007/000316.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0190.html\nFrSIRT Advisory: ADV-2007-0964\n[CVE-2007-1515](https://vulners.com/cve/CVE-2007-1515)\nBugtraq ID: 22975\n", "edition": 1, "modified": "2007-03-15T11:07:11", "published": "2007-03-15T11:07:11", "href": "https://vulners.com/osvdb/OSVDB:34078", "id": "OSVDB:34078", "title": "IMP thread.php Email Subject Header XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "cvelist": ["CVE-2007-1515"], "description": "## Solution Description\nUpgrade to version 4.1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nSecurity Tracker: 1017774\n[Secunia Advisory ID:24541](https://secuniaresearch.flexerasoftware.com/advisories/24541/)\n[Related OSVDB ID: 34078](https://vulners.com/osvdb/OSVDB:34078)\nOther Advisory URL: http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052977.html\nOther Advisory URL: http://lists.horde.org/archives/announce/2007/000316.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0190.html\nFrSIRT Advisory: ADV-2007-0964\n[CVE-2007-1515](https://vulners.com/cve/CVE-2007-1515)\nBugtraq ID: 22975\n", "edition": 1, "modified": "2007-03-15T11:07:11", "published": "2007-03-15T11:07:11", "href": "https://vulners.com/osvdb/OSVDB:34079", "id": "OSVDB:34079", "title": "IMP search.php edit_query Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T11:02:05", "description": "Horde IMP Webmail 4.0.4 Client Multiple Input Validation Vulnerabilities. CVE-2007-1515 . Webapps exploit for php platform", "published": "2007-03-15T00:00:00", "type": "exploitdb", "title": "Horde IMP Webmail <= 4.0.4 Client Multiple Input Validation Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1515"], "modified": "2007-03-15T00:00:00", "id": "EDB-ID:29742", "href": "https://www.exploit-db.com/exploits/29742/", "sourceData": "source: http://www.securityfocus.com/bid/22975/info\r\n\r\nHorde IMP Webmail Client is prone to multiple input-validation vulnerabilities, including cross-site scripting and an HTML-injection issue, because the application fails to properly sanitize user-supplied input.\r\n\r\nAttacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. \r\n\r\nhttp://www.example.com/horde/imp/search.php?edit_query=[xss] ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/29742/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "cvelist": ["CVE-2007-1556", "CVE-2006-7172", "CVE-2007-1510", "CVE-2007-1482", "CVE-2007-1479", "CVE-2007-1631", "CVE-2007-1509", "CVE-2007-1472", "CVE-2007-1620", "CVE-2007-1508", "CVE-2007-1474", "CVE-2007-1445", "CVE-2006-7173", "CVE-2007-1478", "CVE-2007-1477", "CVE-2007-1480", "CVE-2007-1514", "CVE-2007-1443", "CVE-2007-1613", "CVE-2007-1455", "CVE-2007-1525", "CVE-2007-1518", "CVE-2007-1483", "CVE-2007-1481", "CVE-2007-1515", "CVE-2007-1489", "CVE-2007-1513", "CVE-2007-1486", "CVE-2007-1462", "CVE-2007-1487"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2007-03-17T00:00:00", "published": "2007-03-17T00:00:00", "id": "SECURITYVULNS:VULN:7414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7414", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
