Vulnerability Description
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Horde | Application Framework | <= 3.3.5 |
| Horde | Groupware | <= 1.2.4 |
Related Weaknesses (CWE)
References
- http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.htmlExploit
- http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&t
- http://lists.horde.org/archives/announce/2009/000529.htmlPatch
- http://marc.info/?l=horde-announce&m=126100750018478&w=2
- http://marc.info/?l=horde-announce&m=126101076422179&w=2Patch
- http://secunia.com/advisories/37709Vendor Advisory
- http://secunia.com/advisories/37823Vendor Advisory
- http://securitytracker.com/id?1023365
- http://www.securityfocus.com/archive/1/508531/100/0/threaded
- http://www.securityfocus.com/bid/37351Exploit
- http://www.vupen.com/english/advisories/2009/3549PatchVendor Advisory
- http://www.vupen.com/english/advisories/2009/3572PatchVendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54817
- http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.htmlExploit
- http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&t
FAQ
What is CVE-2009-3701?
CVE-2009-3701 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition befor...
How severe is CVE-2009-3701?
CVE-2009-3701 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3701?
Check the references section above for vendor advisories and patch information. Affected products include: Horde Application Framework, Horde Groupware.