Vulnerability Description
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.
CVSS Score
6.1
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Horde | Groupware | <= 5.2.22 |
Related Weaknesses (CWE)
References
- https://bugs.horde.org/ticket/14926ExploitIssue TrackingVendor Advisory
- https://cxsecurity.com/issue/WLB-2019050199ExploitThird Party Advisory
- https://numanozdemir.com/respdisc/horde/horde.mp4ExploitThird Party Advisory
- https://numanozdemir.com/respdisc/horde/horde.txtExploitThird Party Advisory
- https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-IExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/46903ExploitThird Party AdvisoryVDB Entry
- https://bugs.horde.org/ticket/14926ExploitIssue TrackingVendor Advisory
- https://cxsecurity.com/issue/WLB-2019050199ExploitThird Party Advisory
- https://numanozdemir.com/respdisc/horde/horde.mp4ExploitThird Party Advisory
- https://numanozdemir.com/respdisc/horde/horde.txtExploitThird Party Advisory
- https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-IExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/46903ExploitThird Party AdvisoryVDB Entry
FAQ
What is CVE-2019-12094?
CVE-2019-12094 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.
How severe is CVE-2019-12094?
CVE-2019-12094 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12094?
Check the references section above for vendor advisories and patch information. Affected products include: Horde Groupware.