Vulnerability Name:

CVE-2007-1515 (CCN-33093)

Assigned:2007-03-15
Published:2007-03-15
Updated:2018-10-16
Summary:Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php.
Note: some of these details are obtained from third party information.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Authentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): 
Access Complexity (AC): 
Athentication (Au): 
Impact Metrics:Confidentiality (C): 
Integrity (I): 
Availibility (A): 
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Full-Disclosure Mailing List, Wed Mar 14 2007 - 20:00:33 CDT
Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues

Source: MITRE
Type: CNA
CVE-2007-1515

Source: CCN
Type: Horde IMP Web site
IMP Webmail Client

Source: FULLDISC
Type: Exploit, Vendor Advisory
20070315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues

Source: MLIST
Type: Patch, Vendor Advisory
[announce] 20070314 IMP H3 (4.1.4) (final)

Source: CCN
Type: SA24541
IMP Script Insertion and Cross-Site Scripting Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
24541

Source: CCN
Type: SECTRACK ID: 1017774
Horde IMP Input Validation Holes in `thread.php` and `search.php` Permit Cross-Site Scripting Attacks

Source: BUGTRAQ
Type: UNKNOWN
20070315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues

Source: BID
Type: UNKNOWN
22975

Source: CCN
Type: BID-22975
Horde IMP Webmail Client Multiple Input Validation Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1017774

Source: VUPEN
Type: UNKNOWN
ADV-2007-0964

Source: XF
Type: UNKNOWN
horde-imp-thread-xss(33093)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:horde:imp:*:*:*:*:*:*:*:* (Version <= 4.1.3)

    • * Denotes that component is vulnerable
    Vulnerability Name:

    CVE-2007-1515 (CCN-33094)

    Assigned:2007-03-15
    Published:2007-03-15
    Updated:2018-10-16
    Summary:Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php.
    Note: some of these details are obtained from third party information.
    CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
    Exploitability Metrics:Attack Vector (AV): Network
    Attack Complexity (AC): High
    Privileges Required (PR): None
    User Interaction (UI): None
    Scope:Scope (S): Unchanged
    Impact Metrics:Confidentiality (C): Low
    Integrity (I): None
    Availibility (A): None
    CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
    3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Authentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
    2.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C)
    Exploitability Metrics:Access Vector (AV): 
    Access Complexity (AC): 
    Athentication (Au): 
    Impact Metrics:Confidentiality (C): 
    Integrity (I): 
    Availibility (A): 
    Vulnerability Type:CWE-Other
    Vulnerability Consequences:Gain Access
    References:Source: CCN
    Type: Full-Disclosure Mailing List, Wed Mar 14 2007 - 20:00:33 CDT
    Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues

    Source: MITRE
    Type: CNA
    CVE-2007-1515

    Source: CCN
    Type: Horde IMP Web site
    IMP Webmail Client

    Source: CCN
    Type: SA24541
    IMP Script Insertion and Cross-Site Scripting Vulnerabilities

    Source: CCN
    Type: SECTRACK ID: 1017774
    Horde IMP Input Validation Holes in `thread.php` and `search.php` Permit Cross-Site Scripting Attacks

    Source: CCN
    Type: BID-22975
    Horde IMP Webmail Client Multiple Input Validation Vulnerabilities

    Source: XF
    Type: UNKNOWN
    horde-imp-search-xss(33094)

    BACK
    horde imp *