Vulnerability Name:

CVE-2004-2574 (CCN-18497)

Assigned:2004-12-15
Published:2004-12-15
Updated:2011-03-08
Summary:Cross-site scripting (XSS) vulnerability in index.php in phpGroupWare 0.9.14.005 and earlier allows remote attackers to inject arbitrary web script or HTML via the date parameter in a calendar.uicalendar.planner menuaction.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: BugTraq Mailing List, Tue Dec 14 2004 - 21:15:17 CST
Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ]

Source: MITRE
Type: CNA
CVE-2004-1385

Source: MITRE
Type: CNA
CVE-2004-2574

Source: MITRE
Type: CNA
CVE-2004-2575

Source: CCN
Type: GLSA-200501-08
phpGroupWare: Various vulnerabilities

Source: OSVDB
Type: Exploit
7600

Source: CCN
Type: OSVDB ID: 12390
phpGroupWare preferences.php Path Disclosure

Source: CCN
Type: OSVDB ID: 12391
phpGroupWare index.php Path Disclosure

Source: CCN
Type: OSVDB ID: 12392
phpGroupWare wiki/index.php kp3 Parameter XSS

Source: CCN
Type: OSVDB ID: 12396
phpGroupWare index.php Multiple Parameter SQL Injection

Source: CCN
Type: OSVDB ID: 7600
phpGroupWare index.php Calendar Date Parameter XSS

Source: CCN
Type: OSVDB ID: 7601
phpGroupWare setup.inc.php.sample Path Disclosure

Source: CCN
Type: OSVDB ID: 7602
phpGroupWare class.holidaycalc.inc.php Path Disclosure

Source: CCN
Type: OSVDB ID: 7603
phpGroupWare hook_home.inc.php Path Disclosure

Source: CCN
Type: OSVDB ID: 7604
phpGroupWare hook_admin.inc.php Path Disclosure

Source: BID
Type: Exploit, Patch
12082

Source: CCN
Type: BID-12082
PHPGroupWare Index.PHP HTML Injection Vulnerability

Source: XF
Type: UNKNOWN
phpgroupware-path-disclosure(18497)

Source: CONFIRM
Type: Exploit
https://savannah.gnu.org/bugs/?func=detailitem&item_id=7478

Vulnerable Configuration:Configuration 1:
  • cpe:/a:phpgroupware:phpgroupware:0.9.16.000:*:*:*:*:*:*:*
  • OR cpe:/a:phpgroupware:phpgroupware:0.9.16.002:*:*:*:*:*:*:*
  • OR cpe:/a:phpgroupware:phpgroupware:0.9.16.003:*:*:*:*:*:*:*
  • OR cpe:/a:phpgroupware:phpgroupware:*:*:*:*:*:*:*:* (Version <= 0.9.16.005)

    • * Denotes that component is vulnerable
    BACK
    phpgroupware phpgroupware 0.9.16.000
    phpgroupware phpgroupware 0.9.16.002
    phpgroupware phpgroupware 0.9.16.003
    phpgroupware phpgroupware *