Vulnerability Name:

CVE-2005-4190 (CCN-23620)

Assigned:2005-12-11
Published:2005-12-11
Updated:2011-09-13
Summary:Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework before 3.0.8 allow remote authenticated users to inject arbitrary web script or HTML via multiple vectors, as demonstrated by (1) the identity field, (2) Category and (3) Label search fields, (4) the Mobile Phone field, and (5) Date and (6) Time fields when importing CSV files, as exploited through modules such as (a) Turba Address Book, (b) Kronolith, (c) Mnemo, and (d) Nag.
CVSS v3 Severity:2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Sun Dec 11 2005 - 14:04:30 CST
SEC Consult SA-20051211-0 :: Several XSS issues in Horde Framework, Kronolith Calendar, Mnemo Notes, Nag Tasks and Turba Addressbook

Source: MITRE
Type: CNA
CVE-2005-4190

Source: MITRE
Type: CNA
CVE-2005-4192

Source: MLIST
Type: Patch
[horde-announce] 20051211 Horde 3.0.8 (final)

Source: CCN
Type: SA17964
Mnemo Script Insertion Vulnerabilities

Source: CCN
Type: SA17970
Horde Script Insertion Vulnerabilities

Source: SECUNIA
Type: Patch, Vendor Advisory
17970

Source: SECUNIA
Type: Vendor Advisory
19619

Source: SECUNIA
Type: Vendor Advisory
19897

Source: SECUNIA
Type: Vendor Advisory
20960

Source: DEBIAN
Type: UNKNOWN
DSA-1033

Source: DEBIAN
Type: DSA-1033
horde3 -- several vulnerabilities

Source: CCN
Type: Mnemo Web site
Mnemo

Source: SUSE
Type: UNKNOWN
SUSE-SR:2006:009

Source: SUSE
Type: UNKNOWN
SUSE-SR:2006:016

Source: CCN
Type: OSVDB ID: 21604
Horde Mnemo Application Notepad Multiple Field XSS

Source: CCN
Type: OSVDB ID: 21606
Horde Framework Multiple Field XSS

Source: CCN
Type: OSVDB ID: 21607
Horde Framework CSV Import Multiple Field Arbitrary Script Execution

Source: MISC
Type: UNKNOWN
http://www.sec-consult.com/245.html

Source: BID
Type: UNKNOWN
15802

Source: CCN
Type: BID-15802
Horde Turba Multiple HTML Injection Vulnerabilities

Source: BID
Type: UNKNOWN
15803

Source: CCN
Type: BID-15803
Horde Mnemo Remote HTML Injection Vulnerabilities

Source: BID
Type: UNKNOWN
15804

Source: CCN
Type: BID-15804
Horde Nag Remote HTML Injection Vulnerabilities

Source: BID
Type: UNKNOWN
15806

Source: CCN
Type: BID-15806
Horde Application Framework Input Validation Vulnerabilities

Source: BID
Type: UNKNOWN
15808

Source: CCN
Type: BID-15808
Horde Kronolith Multiple HTML Injection Vulnerabilities

Source: BID
Type: UNKNOWN
15810

Source: CCN
Type: BID-15810
Horde Application Framework CSV File Upload Code Execution Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2005-2835

Source: XF
Type: UNKNOWN
mnemo-notepad-xss(23620)

Source: SUSE
Type: SUSE-SR:2006:009
SUSE Security Summary Report

Source: SUSE
Type: SUSE-SR:2006:016
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/a:horde:horde_application_framework:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.2_1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.3_2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.3_3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.3_4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20054190
    V
    		CVE-2005-4190
    2015-11-16
    oval:org.debian:def:1033
    V
    		several vulnerabilities
    2006-04-12
    BACK
    horde horde application framework 1.0.0
    horde horde application framework 1.0.2
    horde horde application framework 1.0.2_1
    horde horde application framework 1.0.3
    horde horde application framework 1.0.3_2
    horde horde application framework 1.0.3_3
    horde horde application framework 1.0.3_4
    horde horde application framework 1.0.4
    horde horde application framework 1.0.5
    horde horde application framework 1.0.6
    horde horde application framework 1.0.8
    horde horde application framework 1.0.9
    horde horde application framework 1.0.10
    horde horde application framework 1.0.11
    horde horde application framework 1.2.0
    horde horde application framework 1.2.1
    horde horde application framework 1.2.2
    horde horde application framework 1.2.3
    horde horde application framework 1.2.4
    horde horde application framework 1.2.5
    horde horde application framework 1.2.6
    horde horde application framework 1.2.7
    horde horde application framework 1.2.8
    horde horde application framework 1.3.3
    horde horde application framework 1.3.4
    horde horde application framework 2.0
    horde horde application framework 2.1
    horde horde application framework 2.2
    horde horde application framework 2.2.1
    horde horde application framework 2.2.3
    horde horde application framework 2.2.4
    horde horde application framework 2.2.5
    horde horde application framework 2.2.6
    horde horde application framework 2.2.7
    horde horde application framework 2.2.8
    horde horde application framework 2.2.9
    horde horde application framework 3.0.1
    horde horde application framework 3.0.2
    horde horde application framework 3.0.3
    horde horde application framework 3.0.4
    horde horde application framework 3.0.5
    horde horde application framework 3.0.6
    horde horde application framework 3.0.7