Vulnerability Name:

CVE-2005-3570 (CCN-23061)

Assigned:2005-11-10
Published:2005-11-10
Updated:2011-05-19
Summary:Unspecified cross-site scripting (XSS) vulnerability in Horde before 2.2.9 allows remote attackers to inject arbitrary web script or HTML via "not properly escaped error messages".
CVSS v3 Severity:9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2005-3570

Source: CONFIRM
Type: Patch
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.207.2.109&r2=1.207.2.111&ty=h

Source: CCN
Type: Horde Original Advisory
Horde 2.2.9 (final)

Source: MLIST
Type: UNKNOWN
[Horde-announce] 20051113 Horde 2.2.9 (final)

Source: CCN
Type: SA17468
Horde Error Messages Cross-Site Scripting Vulnerability

Source: SECUNIA
Type: Patch, Vendor Advisory
17468

Source: SECUNIA
Type: Patch, Vendor Advisory
17702

Source: SECUNIA
Type: Patch, Vendor Advisory
17794

Source: DEBIAN
Type: Patch, Vendor Advisory
DSA-914

Source: DEBIAN
Type: DSA-914
horde2 -- missing input sanitising

Source: CCN
Type: GLSA-200511-20
Horde Application Framework: XSS vulnerability

Source: GENTOO
Type: Patch, Vendor Advisory
GLSA-200511-20

Source: CCN
Type: Horde Web site
The Horde Application Framework

Source: CCN
Type: OSVDB ID: 20815
Horde Error Messages XSS

Source: BID
Type: Patch
15409

Source: CCN
Type: BID-15409
Horde Unspecified Error Message Cross-Site Scripting Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2005-2403

Source: XF
Type: UNKNOWN
horde-error-message-xss(23061)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:horde:horde:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.4_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:2.2.8:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20053570
    V
    		CVE-2005-3570
    2015-11-16
    oval:org.debian:def:914
    V
    		missing input sanitising
    2005-12-01
    BACK
    horde horde 2.2
    horde horde 2.2.1
    horde horde 2.2.3
    horde horde 2.2.4
    horde horde 2.2.4_rc1
    horde horde 2.2.5
    horde horde 2.2.6
    horde horde 2.2.7
    horde horde 2.2.8