Lucene search
K
HordeGroupware

46 matches found

CVE
CVE
added 2020/02/17 2:53 p.m.206 views

CVE-2020-8518

CVE-2020-8518 is an RCE in Horde Groupware Webmail Edition 5.2.22 via CSV data import, caused by arbitrary PHP code injection in the Horde_Data component. The vulnerability allows authenticated users to execute code on the server hosting the web application. Affected versions include Horde Groupw...

9.8CVSS9.8AI score0.71728EPSS
Web
CVE
CVE
added 2021/02/14 3:43 a.m.163 views

CVE-2021-26929

CVE-2021-26929 affects Horde Groupware Webmail Edition up to 5.2.22 (Horde_Text_Filter before 2.3.7). The vulnerability is an XSS in which a attacker can send a plain text email containing JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, due to bespoke use ...

6.1CVSS5.8AI score0.04944EPSS
Web
CVE
CVE
added 2012/09/25 10:0 p.m.147 views

CVE-2012-0209

CVE-2012-0209 corresponds to a backdoor backdoor in Horde 3.3.12 and Horde Groupware 1.2.10/1.2.10 Webmail, introduced via an unauthorized modification in templates/javascript/open_calendar.js. Affected packages include Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2...

7.5CVSS7.4AI score0.71897EPSS
Web
CVE
CVE
added 2019/05/29 4:26 p.m.141 views

CVE-2019-9858

CVE-2019-9858 affects Horde Groupware Webmail (versions 5.2.22 and 5.2.17). The flaw is in Horde/Form/Type.php image upload handling: an unsanitized POST parameter object[photo][img][file] is used as the destination path for move_uploaded_file(), allowing an attacker to place a PHP file (e.g., vi...

8.8CVSS8.8AI score0.19165EPSS
Web
CVE
CVE
added 2019/10/24 5:9 p.m.135 views

CVE-2019-12095

CVE-2019-12095 affects Horde Trean (Horde Groupware Webmail Edition up to 5.2.22 and related products). The flaw enables CSRF via the treanBookmarkTags parameter to the trean/ URI on a webmail server, with the note that treanBookmarkTags could carry a stored XSS payload. Public documents confirm ...

8.8CVSS8.1AI score0.01115EPSS
Web
CVE
CVE
added 2019/10/24 4:49 p.m.133 views

CVE-2019-12094

CVE-2019-12094 affects Horde Groupware Webmail Edition through 5.2.22. The vulnerability allows XSS via crafted URIs such as admin/user.php?form=update_f&user_name=, admin/user.php?form=remove_f&user_name=, or admin/config/diff.php?app=, as documented in the CVE entry and OSV/NVD references. The ...

6.1CVSS6.8AI score0.01536EPSS
Web
CVE
CVE
added 2022/07/28 9:8 p.m.116 views

CVE-2022-30287

CVE-2022-30287 affects Horde Groupware Webmail Edition up to 5.2.22, enabling a reflection injection that allows arbitrary deserialization of PHP objects via a driver-class instantiation. Debian advisories note fixes in php-horde-turba: 4.2.25-5+deb11u2 for Debian 11 (and related LTS advisories f...

8CVSS7.8AI score0.70276EPSS
CVE
CVE
added 2020/05/18 4:7 p.m.103 views

CVE-2020-8034

CVE-2020-8034 affects Gollem before 3.0.13 (used in Horde Groupware Webmail Edition 5.2.22 and other products). The vulnerability is a reflected XSS via the HTTP GET dir parameter in the browser functionality, impacting breadcrumb output. Exploitation can lead to an attacker gaining access to a v...

6.1CVSS5.8AI score0.00974EPSS
CVE
CVE
added 2020/05/18 2:55 p.m.94 views

CVE-2020-8035

Affected software: Horde Groupware Webmail Edition. Vulnerability: stored XSS via SVG image uploads, enabling a remote attacker to obtain access to a victim’s webmail account. Affected versions are Horde Groupware Webmail Edition prior to 5.2.22. Risk details are stated in the connected documents...

6.1CVSS5.8AI score0.00881EPSS
CVE
CVE
added 2009/09/17 10:0 a.m.84 views

CVE-2009-3236

CVE-2009-3236 affects Horde Application Framework 3.2 (before 3.2.5) and 3.3 (before 3.3.5), Groupware 1.1 (before 1.1.6) and 1.2 (before 1.2.4), and Horde Webmail Editions 1.1 (before 1.1.6) and 1.2 (before 1.2.4). The vulnerability arises from Horde_Form_Type_image reusing temporary upload file...

4.3CVSS6.9AI score0.02305EPSS
CVE
CVE
added 2015/11/19 8:0 p.m.81 views

CVE-2015-7984

CVE-2015-7984 cites CSRF vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 that allow remote attackers to hijack administrator authentication to perform requests executing arbitrary commands, SQL queries, or PHP code (via cmd, ...

6.8CVSS6.6AI score0.04116EPSS
Web
CVE
CVE
added 2009/12/21 4:0 p.m.79 views

CVE-2009-3701

CVE-2009-3701 affects Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5. It enables remote XSS via PATH_INFO to admin/phpshell.php, admin/cmdshell.php, or admin/sqlshell.php, related to PHP_SELF. Impact is arbitrary script/HTM...

4.3CVSS5.5AI score0.04832EPSS
Web
CVE
CVE
added 2017/10/11 3:0 a.m.78 views

CVE-2017-15235

The CVE-2017-15235 issue affects the Horde Groupware File Manager (gollem) module: version 3.0.11 in Horde Groupware 5.2.21 allows remote unauthenticated file downloads via a crafted fn parameter that maps to the exact filename. The vulnerability enables remote attackers to bypass Horde authentic...

7.5CVSS7.4AI score0.0553EPSS
Web
CVE
CVE
added 2017/04/04 2:0 p.m.78 views

CVE-2017-7413

CVE-2017-7413 affects Horde_Crypt prior to 2.7.6 used in Horde Groupware Webmail Edition (through 5.2.17). An OS command injection is possible when an authenticated Horde Webmail user with PGP features enabled encrypts mail to a specially crafted address, enabling potential remote code execution ...

9CVSS8.5AI score0.40447EPSS
CVE
CVE
added 2020/03/23 8:15 p.m.78 views

CVE-2020-8866

CVE-2020-8866 affects Horde Groupware Webmail Edition 5.2.22, with a flaw in add.php where insufficient validation of user-supplied data allows remote attackers (authenticated) to upload arbitrary files. This can enable code execution in the www-data context when combined with other vulnerabiliti...

6.5CVSS6.5AI score0.09579EPSS
CVE
CVE
added 2016/04/13 4:0 p.m.76 views

CVE-2016-2228

CVE-2016-2228 is a cross-site scripting (XSS) vulnerability in Horde Groupware prior to 5.2.12 and Horde Groupware Webmail Edition prior to 5.2.12. The issue allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, demonstrated by a request to xplorer/gollem/m...

6.1CVSS5.9AI score0.01869EPSS
Web
CVE
CVE
added 2020/03/23 8:15 p.m.75 views

CVE-2020-8865

CVE-2020-8865 affects Horde Groupware Webmail Edition 5.2.22. A flaw in edit.php when parsing params[template] allows an authenticated attacker to trigger improper file path handling and, with other vulnerabilities, execute code as the www-data user. Connected advisories confirm the issue and lin...

6.5CVSS6.3AI score0.06808EPSS
CVE
CVE
added 2016/04/13 4:0 p.m.73 views

CVE-2015-8807

The CVE-2015-8807 issue affects Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12. The vulnerability resides in Horde’s _renderVarInput_number function within Html.php, enabling remote attackers to inject arbitrary web script or HTML via numbers in form fields (XSS)....

6.1CVSS5.8AI score0.02061EPSS
CVE
CVE
added 2009/09/13 10:0 p.m.71 views

CVE-2008-7218

The CVE-2008-7218 entry concerns an unspecified vulnerability in the Horde API affecting Horde 3.x (including Horde, Turba H3, Kronolith H3, Nag H3, Mnemo H3) and Horde Groupware/Groupware Webmail Edition with multiple pre-release version gaps. Public sources concur the vulnerability has unknown ...

10CVSS6.5AI score0.02202EPSS
CVE
CVE
added 2019/11/05 1:43 p.m.70 views

CVE-2013-6364

CVE-2013-6364 concerns the Horde Groupware Webmail Edition, where saving a search as a virtual address book is vulnerable to CSRF and XSS. The vulnerability arises in the webmail component when performing the save operation, enabling an attacker to induce cross-site requests or script execution i...

8.8CVSS8.3AI score0.02084EPSS
CVE
CVE
added 2017/11/20 8:0 p.m.70 views

CVE-2017-16908

The CVE-2017-16908 entry concerns Horde Groupware 5.2.19, where an XSS vulnerability in the Resource Name field can be exploited to enable remote code execution after compromising an administrator account, by bypassing the CVE-2015-7984 CSRF protection mechanism. Affected product/component: Horde...

5.4CVSS5.7AI score0.01752EPSS
CVE
CVE
added 2009/09/17 10:0 a.m.69 views

CVE-2009-3237

The CVE-2009-3237 issue affects Horde Application Framework and related Groupware packages: XSS vulnerabilities in Horde App Framework versions before 3.2.5 (and 3.3.x before 3.3.5) and in Groupware 1.1.x before 1.1.6 and 1.2.x before 1.2.4, plus Groupware Webmail Edition 1.1/1.2 before these fix...

4.3CVSS5.5AI score0.02267EPSS
Web
CVE
CVE
added 2008/02/19 12:0 a.m.68 views

CVE-2008-0807

CVE-2008-0807 affects Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, deployed in Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5. The flaw in lib/Driver/sql.php fails to properly check access rights, allowing remote authenticated use...

4.9CVSS5.9AI score0.01383EPSS
Web
CVE
CVE
added 2019/11/05 1:53 p.m.68 views

CVE-2013-6365

The CVE-2013-6365 entry relates to Horde Groupware Webmail 5.1.2 and describes a CSRF vulnerability in which requests to change permissions can be forged. Public references (e.g., Exploit-DB) describe a CSRF flaw in the Change of permissions function due to a missing or insufficient token in the ...

5.3CVSS5.9AI score0.01072EPSS
CVE
CVE
added 2019/11/05 6:50 p.m.67 views

CVE-2013-6275

CVE-2013-6275 affects Horde Groupware Webmail Edition up to 5.1.2, specifically in basic.php, with multiple CSRF issues. The root cause is missing CSRF protections in several functions; exploitation details are shown in the Exploit-DB entry (Horde Groupware Web Mail Edition 5.1.2 CSRF). The conne...

6.5CVSS6.4AI score0.02072EPSS
CVE
CVE
added 2017/04/04 2:0 p.m.66 views

CVE-2017-7414

In Horde_Crypt (PHP Horde) prior to 2.7.6, used in Horde Groupware Webmail Edition 5.x–5.2.17, a crafted PGP-signed email can trigger OS command injection when the recipient views or previews the message. The vulnerability arises when PGP features are enabled and “Should PGP signed messages be au...

7.5CVSS8AI score0.01249EPSS
CVE
CVE
added 2011/03/31 10:0 p.m.65 views

CVE-2010-3695

CVE-2010-3695 is a cross-site scripting (XSS) vulnerability in Horde IMP (before 4.3.8) and Horde Groupware Webmail Edition (before 1.2.7). The flaw allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in the fetchmail_prefs_save action (Fetchmail configuration)....

4.3CVSS5.5AI score0.04979EPSS
CVE
CVE
added 2017/11/20 8:0 p.m.65 views

CVE-2017-16907

In Horde Groupware, CVE-2017-16907 is a documented XSS in the Color field of a Create Task List action affecting Horde Groupware 5.2.19 and 5.2.21. Debian LTS advisories report fixes in php-horde-core (2.27.6+debian1-2+deb9u1) and php-horde (5.2.13+debian0-1+deb9u3) for Debian 9 stretch, indicati...

5.4CVSS5AI score0.01077EPSS
CVE
CVE
added 2008/03/11 12:0 a.m.64 views

CVE-2008-1284

CVE-2008-1284 affects Horde 3.1.6, Groupware up to 1.0.5, and Groupware Webmail Edition up to 1.0.6. The vulnerability is a directory traversal via ../ and a null byte in the theme name, allowing remote authenticated users to read and execute arbitrary files. The NVD entry lists a CVSSv2 base sco...

6CVSS6.5AI score0.01677EPSS
CVE
CVE
added 2009/09/13 10:0 p.m.62 views

CVE-2008-7219

CVE-2008-7219 affects Horde Kronolith H3 (2.1 up to before 2.1.7; 2.2 before 2.2-RC2), Nag H3 (2.1 before 2.1.4; 2.2 before 2.2-RC2), Mnemo H3 (2.1 before 2.1.2; 2.2 before 2.2-RC2), Groupware (1.0 before 1.0.3; 1.1 before 1.1-RC2) and Groupware Webmail Edition (1.0 before 1.0.4; 1.1 before 1.1-R...

10CVSS6.7AI score0.02744EPSS
CVE
CVE
added 2017/11/20 8:0 p.m.62 views

CVE-2017-16906

CVE-2017-16906 affects Horde Groupware, specifically version 5.2.19–5.2.22, where an XSS vulnerability exists in the Calendar → New Event URL field. The vulnerability allows an attacker to inject HTML/JavaScript through the URL parameter, with potential for remote code execution as per CNVD descr...

5.4CVSS5AI score0.01086EPSS
CVE
CVE
added 2016/12/20 10:0 p.m.61 views

CVE-2016-5303

CVE-2016-5303 affects Horde Groupware and Horde Groupware Webmail Edition (before 5.2.16). Vulnerable component: Horde Text Filter API. The issue allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute, enabling...

6.1CVSS6AI score0.01509EPSS
CVE
CVE
added 2009/12/21 4:0 p.m.58 views

CVE-2009-4363

CVE-2009-4363 affects Horde Framework components (Text_Filter/lib/Horde/Text/Filter/Xss.php) and related Horde Groupware packages, where data: URIs in HTML email HREF attributes could trigger cross-site scripting. Root cause is improper handling of data: URIs; vendor notes issue tied to Firefox. ...

4.3CVSS5AI score0.0137EPSS
Web
CVE
CVE
added 2007/03/26 11:0 p.m.56 views

CVE-2007-1679

The CVE-2007-1679 entry concerns multiple XSS vulnerabilities in Horde Groupware Webmail 1.0, specifically in imp/search.php and ingo/rule.php. The issue is that remote authenticated users can inject script/HTML via unspecified vectors; however, the vendor disputes the existence of the search.php...

5.4CVSS4.9AI score0.00912EPSS
CVE
CVE
added 2008/04/27 7:0 p.m.56 views

CVE-2008-1974

CVE-2008-1974 is an XSS vulnerability in Horde Kronolith (Kronolith 2.1.x and Groupware variants) where the url parameter in addevent.php can inject arbitrary script/HTML. The issue is reported as insufficient input sanitisation in Kronolith’s add-event flow, allowing remote attackers to execute ...

4.3CVSS5.4AI score0.04883EPSS
CVE
CVE
added 2014/04/05 9:0 p.m.55 views

CVE-2012-6640

Cross-site scripting (XSS) in Horde Internet Mail Program (IMP) before 5.0.22, used with Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment. No remediation details are provided in the supplied documents.

4.3CVSS5.6AI score0.01848EPSS
CVE
CVE
added 2014/04/05 9:0 p.m.53 views

CVE-2012-5565

CVE-2012-5565 is an XSS vulnerability in Horde IMP (js/compose-dimp.js) used with Horde Groupware Webmail Edition prior to 4.0.9. The issue allows remote attackers to inject arbitrary web script or HTML by supplying a crafted name for an attached file in the dynamic view, affecting Horde IMP befo...

4.3CVSS5.6AI score0.0181EPSS
CVE
CVE
added 2007/01/30 5:0 p.m.51 views

CVE-2007-0579

CVE-2007-0579 affects Horde Groupware Webmail Edition before 1.0 and Groupware before 1.0. Unspecified vulnerability in the calendar component allows remote attackers to include certain files via unspecified vectors. No further technical details or remediation are provided in the accessible docum...

5.1CVSS6.7AI score0.01372EPSS
CVE
CVE
added 2008/06/19 8:0 p.m.51 views

CVE-2008-2783

CVE-2008-2783 describes multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, including Groupware Webmail Edition and Kronolith. The flaws allow remote attackers to inject arbitrary script or HTML via the timestamp parameter to week.php, workweek.php, and day.php, and via the ho...

4.3CVSS5.7AI score0.01505EPSS
CVE
CVE
added 2014/07/14 2:0 p.m.50 views

CVE-2014-4945

CVE-2014-4945 : Concrete details across multiple sources show multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5. The issue allows remote attackers to inject arbitrary web script or HTML vi...

4.3CVSS5.9AI score0.01312EPSS
CVE
CVE
added 2014/07/14 2:0 p.m.47 views

CVE-2014-4946

The vulnerability CVE-2014-4946 affects Horde IMP (Internet Mail Program) before version 6.1.8, as deployed in Horde Groupware Webmail Edition before 5.1.5. The issue is a cross-site scripting (XSS) flaw that allows remote attackers to inject arbitrary web script or HTML via (1) unspecified flags...

4.3CVSS5.9AI score0.01312EPSS
CVE
CVE
added 2014/04/05 9:0 p.m.46 views

CVE-2012-5566

Affected software: Horde Kronolith (H4) 3.0.x used in Horde Groupware Webmail Edition prior to 4.0.8. Vulnerability: multiple XSS flaws in the tasks view and search view, due to input handling in Kronolith before 3.0.17. Impact: remote attackers can inject arbitrary web script or HTML. Remediatio...

4.3CVSS5.8AI score0.02461EPSS
CVE
CVE
added 2011/04/01 9:0 p.m.45 views

CVE-2010-3693

CVE-2010-3693 is an XSS vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5 and Horde Groupware Webmail Edition before 1.2.7. It allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names. The documents do not specify exploitation status or c...

4.3CVSS5.8AI score0.02591EPSS
CVE
CVE
added 2011/04/01 9:0 p.m.42 views

CVE-2010-4778

Horde IMP prior to 4.3.8 and Horde Groupware Webmail Edition prior to 1.2.7 contain multiple XSS vulnerabilities in fetchmailprefs.php (fetchmail_prefs_save action). The issues allow remote attackers to inject arbitrary web script or HTML via vulnerable fields, specifically (for CVE-2010-4778) th...

4.3CVSS5.8AI score0.00902EPSS
CVE
CVE
added 2014/04/05 9:0 p.m.40 views

CVE-2012-5567

CVE-2012-5567 affects Horde Kronolith (H4) before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9. The flaw is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary script/HTML via crafted event location parameters in the month, monthlist, or ...

4.3CVSS5.8AI score0.02461EPSS
CVE
CVE
added 2025/12/02 2:1 p.m.15 views

CVE-2025-41066

The vulnerability concerns Horde Groupware v5.2.22. Affected component: Horde Groupware web interface. Root cause: unauthenticated user enumeration via HTTP request to /imp/attachment.php with parameters id and u, causing the server to reveal whether a user exists (returns an empty file when the ...

6.9CVSS6.6AI score0.00214EPSS
Web