CVE-2009-3236

2009-09-1710:30:00

NVD-CWE-noinfo

[email protected]

web.nvd.nist.gov

cve-2009-3236

horde application framework

remote code execution

php

security vulnerability

7 High

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.7%

JSON

The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files and execute PHP code via crafted Horde_Form_Type_image form field elements.

CPENameOperatorVersion
horde:groupwarehorde groupwareeq1.1
horde:application_frameworkhorde application frameworkeq3.2.4
horde:groupwarehorde groupwareeq1.2.2
horde:groupwarehorde groupwareeq1.1.5
horde:application_frameworkhorde application frameworkeq3.2.1
horde:application_frameworkhorde application frameworkeq3.3.2
horde:groupwarehorde groupwareeq1.2.1
horde:application_frameworkhorde application frameworkeq3.2.2
horde:groupwarehorde groupwareeq1.1.1
horde:application_frameworkhorde application frameworkeq3.3.3

CPE	Name	Operator	Version
horde:groupware	horde groupware	eq	1.1
horde:application_framework	horde application framework	eq	3.2.4
horde:groupware	horde groupware	eq	1.2.2
horde:groupware	horde groupware	eq	1.1.5
horde:application_framework	horde application framework	eq	3.2.1
horde:application_framework	horde application framework	eq	3.3.2
horde:groupware	horde groupware	eq	1.2.1
horde:application_framework	horde application framework	eq	3.2.2
horde:groupware	horde groupware	eq	1.1.1
horde:application_framework	horde application framework	eq	3.3.3