Filtered by vendor Horde
Subscriptions
Filtered by product Groupware
Subscriptions
Total
45 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-8518 | 3 Debian, Fedoraproject, Horde | 3 Debian Linux, Fedora, Groupware | 2024-08-04 | 9.8 Critical |
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. | ||||
CVE-2020-8035 | 1 Horde | 1 Groupware | 2024-08-04 | 6.1 Medium |
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL. | ||||
CVE-2020-8034 | 1 Horde | 2 Gollem, Groupware | 2024-08-04 | 6.1 Medium |
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL. | ||||
CVE-2021-26929 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2024-08-03 | 6.1 Medium |
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses. | ||||
CVE-2022-30287 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2024-08-03 | 8.0 High |
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects. |