Vulnerability Name:

CVE-2005-4189 (CCN-23614)

Assigned:2005-12-11
Published:2005-12-11
Updated:2011-03-08
Summary:Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith H3 before 2.0.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the Calendar name field when creating calendars, (2) event title field when deleting events, the (3) Category and (4) Location search fields, and the (5) attendees email address fields when editing event attendees, and possibly other vectors.
CVSS v3 Severity:2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Sun Dec 11 2005 - 14:04:30 CST
SEC Consult SA-20051211-0 :: Several XSS issues in Horde Framework, Kronolith Calendar, Mnemo Notes, Nag Tasks and Turba Addressbook

Source: FULLDISC
Type: Vendor Advisory
20051211 SEC Consult SA-20051211-0 :: Several XSS issues in Horde Framework, Kronolith Calendar, Mnemo Notes, Nag Tasks and Turba Addressbook

Source: MITRE
Type: CNA
CVE-2005-4189

Source: MLIST
Type: Patch
[horde-announce] 20051211 Kronolith H3 (2.0.6) (final)

Source: CCN
Type: SA17971
Kronolith Script Insertion Vulnerabilities

Source: SECUNIA
Type: Patch, Vendor Advisory
17971

Source: SECUNIA
Type: UNKNOWN
18827

Source: DEBIAN
Type: UNKNOWN
DSA-970

Source: DEBIAN
Type: DSA-970
kronolith -- missing input sanitising

Source: CCN
Type: Kronolith Web site
Kronolith Calendar Application

Source: OSVDB
Type: Patch
21608

Source: OSVDB
Type: Patch
21609

Source: OSVDB
Type: Patch
21610

Source: OSVDB
Type: Patch
21611

Source: CCN
Type: OSVDB ID: 21608
Horde Kronolith Calendar Multiple Field XSS

Source: CCN
Type: OSVDB ID: 21609
Horde Kronolith Calendar Event Manipulation XSS

Source: CCN
Type: OSVDB ID: 21610
Horde Kronolith Calendar Search Function Multiple Method XSS

Source: CCN
Type: OSVDB ID: 21611
Horde Kronolith Calendar Edit Permission Function XSS

Source: MISC
Type: Vendor Advisory
http://www.sec-consult.com/245.html

Source: BID
Type: Patch
15808

Source: CCN
Type: BID-15808
Horde Kronolith Multiple HTML Injection Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2005-2834

Source: XF
Type: UNKNOWN
kronolith-name-address-xss(23614)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:horde:kronolith_h3:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.2_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.3_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.4_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0_alpha:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0_beta:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0_rc1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0_rc2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:kronolith_h3:2.0_rc3:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:horde:kronolith:2.0.5:*:*:*:*:*:*:*
  • AND
  • cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2005-4189 (CCN-23615)

    Assigned:2005-12-11
    Published:2005-12-11
    Updated:2011-03-08
    Summary:Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith H3 before 2.0.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the Calendar name field when creating calendars, (2) event title field when deleting events, the (3) Category and (4) Location search fields, and the (5) attendees email address fields when editing event attendees, and possibly other vectors.
    CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): Low
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Low
    Availibility (A): None
    CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Medium
    Authentication (Au): Single_Instance
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Partial
    Availibility (A): None
    5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
    Exploitability Metrics:Access Vector (AV): Network
    Access Complexity (AC): Low
    Athentication (Au): None
    Impact Metrics:Confidentiality (C): None
    Integrity (I): Partial
    Availibility (A): None
    Vulnerability Type:CWE-Other
    Vulnerability Consequences:Data Manipulation
    References:Source: CCN
    Type: Full-Disclosure Mailing List, Sun Dec 11 2005 - 14:04:30 CST
    SEC Consult SA-20051211-0 :: Several XSS issues in Horde Framework, Kronolith Calendar, Mnemo Notes, Nag Tasks and Turba Addressbook

    Source: MITRE
    Type: CNA
    CVE-2005-4189

    Source: CCN
    Type: SA17971
    Kronolith Script Insertion Vulnerabilities

    Source: DEBIAN
    Type: DSA-970
    kronolith -- missing input sanitising

    Source: CCN
    Type: Kronolith Web site
    Kronolith Calendar Application

    Source: CCN
    Type: OSVDB ID: 21608
    Horde Kronolith Calendar Multiple Field XSS

    Source: CCN
    Type: OSVDB ID: 21609
    Horde Kronolith Calendar Event Manipulation XSS

    Source: CCN
    Type: OSVDB ID: 21610
    Horde Kronolith Calendar Search Function Multiple Method XSS

    Source: CCN
    Type: OSVDB ID: 21611
    Horde Kronolith Calendar Edit Permission Function XSS

    Source: CCN
    Type: BID-15808
    Horde Kronolith Multiple HTML Injection Vulnerabilities

    Source: XF
    Type: UNKNOWN
    kronolith-multi-title-delete-information(23615)

    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.debian:def:970
    V
    		missing input sanitising
    2006-02-14
    BACK
    horde kronolith h3 2.0
    horde kronolith h3 2.0.1
    horde kronolith h3 2.0.2
    horde kronolith h3 2.0.2_rc1
    horde kronolith h3 2.0.3
    horde kronolith h3 2.0.3_rc1
    horde kronolith h3 2.0.4
    horde kronolith h3 2.0.4_rc1
    horde kronolith h3 2.0.5
    horde kronolith h3 2.0_alpha
    horde kronolith h3 2.0_beta
    horde kronolith h3 2.0_rc1
    horde kronolith h3 2.0_rc2
    horde kronolith h3 2.0_rc3
    horde kronolith 2.0.5
    debian debian linux 3.1