OpenCVE

Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Horde	Gollem Groupware

Configuration 1 [-]

OR	cpe:2.3:a:horde:gollem::::::::
	cpe:2.3:a:horde:groupware:5.2.22::::webmail:::

No data.

References

Link	Providers
https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES
https://github.com/horde/gollem/commits/master
https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html
https://lists.horde.org/archives/announce/2020/001289.html
https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-18T16:07:37

Updated: 2024-08-04T09:48:25.031Z

Reserved: 2020-01-27T00:00:00

Link: CVE-2020-8034

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-05-18T17:15:11.053

Modified: 2024-11-21T05:38:15.790

Link: CVE-2020-8034

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-04-20T00:00:00", "descriptions": [{"lang": "en", "value": "Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-31T17:06:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/horde/gollem/commits/master"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.horde.org/archives/announce/2020/001289.html"}, {"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2229-1] php-horde-gollem security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8034", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/horde/gollem/commits/master", "refsource": "MISC", "url": "https://github.com/horde/gollem/commits/master"}, {"name": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html", "refsource": "CONFIRM", "url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"}, {"name": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES", "refsource": "CONFIRM", "url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"}, {"name": "https://lists.horde.org/archives/announce/2020/001289.html", "refsource": "MISC", "url": "https://lists.horde.org/archives/announce/2020/001289.html"}, {"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2229-1] php-horde-gollem security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:48:25.031Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/horde/gollem/commits/master"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.horde.org/archives/announce/2020/001289.html"}, {"name": "[debian-lts-announce] 20200531 [SECURITY] [DLA 2229-1] php-horde-gollem security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8034", "datePublished": "2020-05-18T16:07:37", "dateReserved": "2020-01-27T00:00:00", "dateUpdated": "2024-08-04T09:48:25.031Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:horde:gollem:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D81DB46-9AC0-4484-B46C-29D8044163EF", "versionEndExcluding": "3.0.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:horde:groupware:5.2.22:*:*:*:webmail:*:*:*", "matchCriteriaId": "13EBB673-7F7D-402E-9791-7974AC24B529", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL."}, {"lang": "es", "value": "Gollem versiones anteriores a 3.0.13, tal como es usado en Horde Groupware Webmail Edition versi\u00f3n 5.2.22 y otros productos, est\u00e1 afectado por una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejada por medio del par\u00e1metro HTTP GET dir en la funcionalidad browser, afectando a una salida del breadcrumb. Un atacante puede obtener acceso a la cuenta de correo web de una v\u00edctima al hacer que visite una URL maliciosa."}], "id": "CVE-2020-8034", "lastModified": "2024-11-21T05:38:15.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-18T17:15:11.053", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/horde/gollem/commits/master"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.horde.org/archives/announce/2020/001289.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/horde/gollem/commits/master"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.horde.org/archives/announce/2020/001289.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}