HordeCVEs & Vulnerabilities

115 CVEs affecting Horde products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

imp 362groupware 249horde application framework 229horde 138application framework 112groupware webmail edition 88kronolith h4 52horde image api 44
CVE-2005-1319MEDIUM

Cross-site scripting (XSS) vulnerability in Horde IMP Webmail client before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.

2 May 2005
4.3
CVSS
CVE-2005-1320MEDIUM

Cross-site scripting (XSS) vulnerability in Horde Mnemo Note Manager before 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.

2 May 2005
4.3
CVSS
CVE-2005-1321MEDIUM

Cross-site scripting (XSS) vulnerability in Horde Vacation module before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.

2 May 2005
4.3
CVSS
CVE-2005-1322MEDIUM

Cross-site scripting (XSS) vulnerability in Horde Nag Task List Manager before 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.

2 May 2005
4.3
CVSS
CVE-2005-0378MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Horde 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter to prefs.php or (2) url parameter to index.php.

2 May 2005
4.3
CVSS
CVE-2005-0961MEDIUM

Cross-site scripting (XSS) vulnerability in Horde 3.0.4 before 3.0.4-RC2 allows remote attackers to inject arbitrary web script or HTML via the parent frame title.

2 May 2005
4.3
CVSS
CVE-2005-1317MEDIUM

Cross-site scripting (XSS) vulnerability in Horde Chora module before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.

25 Apr 2005
6.8
CVSS
CVE-2004-1443MEDIUM

Cross-site scripting (XSS) vulnerability in the inline MIME viewer in Horde-IMP (Internet Messaging Program) 3.2.4 and earlier, when used with Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via an e-mail message.

31 Dec 2004
4.3
CVSS
CVE-2004-2741MEDIUM

Cross-site scripting (XSS) vulnerability in the "help window" (help.php) in Horde Application Framework 2.2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) module, (2) topic, or (3) module parameters.

31 Dec 2004
4.3
CVSS
CVE-2004-0584MEDIUM

Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a "security fix," does not properly validate input, which allows remote attackers to execute arbitrary script as other users via script or HTML in an e-mail message, possibly triggering a cross-site scripting (XSS) vulnerability.

6 Aug 2004
6.8
CVSS
CVE-2003-0728MEDIUM

Horde before 2.2.4 allows remote malicious web sites to steal session IDs and read or create arbitrary email by stealing the ID from a referrer URL.

20 Oct 2003
6.4
CVSS
CVE-2003-0025HIGH

Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities and possibly gain privileges via certain database functions such as check_prefs() in db.pgsql, as demonstrated using mailbox.php3.

17 Jan 2003
7.5
CVSS
CVE-2002-2024MEDIUM

Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3, (2) login.php3?reason=chpass2, (3) spelling.php3, and (4) ldap.search.php3?ldap_serv=nonsense which leaks the information in error messages.

31 Dec 2002
5.3
CVSS
CVE-2002-0181HIGH

Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to execute arbitrary web script and steal cookies of other IMP/HORDE users via the script parameter.

22 Apr 2002
7.5
CVSS
CVE-2001-0744LOW

Horde IMP 2.2.4 and earlier allows local users to overwrite files via a symlink attack on a temporary file.

18 Oct 2001
2.1
CVSS
CVE-2001-1257HIGH

Cross-site scripting vulnerability in Horde Internet Messaging Program (IMP) before 2.2.6 and 1.2.6 allows remote attackers to execute arbitrary Javascript embedded in an email.

21 Jul 2001
7.5
CVSS
CVE-2001-1258LOW

Horde Internet Messaging Program (IMP) before 2.2.6 allows local users to read IMP configuration files and steal the Horde database password by placing the prefs.lang file containing PHP code on the server.

21 Jul 2001
3.6
CVSS
CVE-2000-0910MEDIUM

Horde library 1.02 allows attackers to execute arbitrary commands via shell metacharacters in the "from" address.

19 Dec 2000
4.6
CVSS
CVE-2000-0911MEDIUM

IMP 2.2 and earlier allows attackers to read and delete arbitrary files by modifying the attachment_name hidden form variable, which causes IMP to send the file to the attacker as an attachment.

19 Dec 2000
5.0
CVSS
← PrevPage 3 / 3Next →