Vulnerability Name:

CVE-2008-3330 (CCN-44198)

Assigned:2008-07-27
Published:2008-07-27
Updated:2017-08-08
Summary:Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: Debian Bug report logs - #492578
horde3: Small XSS/unescaped output in services/obrowser/index.php

Source: CONFIRM
Type: Exploit
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492578

Source: MITRE
Type: CNA
CVE-2008-3330

Source: CCN
Type: Horde Web site
The Horde Project

Source: SECUNIA
Type: UNKNOWN
34609

Source: CCN
Type: SECTRACK ID: 1020566
Horde Application Framework Input Validation Hole in Contact Names Permits Cross-Site Scripting Attacks

Source: CCN
Type: SECTRACK ID: 1020567
Turba Input Validation Hole in Contact Names Permits Cross-Site Scripting Attacks

Source: DEBIAN
Type: DSA-1765
horde3 -- Multiple vulnerabilities

Source: CCN
Type: OSVDB ID: 46174
Horde Turba services/obrowser/index.php Contact View XSS

Source: BID
Type: UNKNOWN
29745

Source: CCN
Type: BID-29745
Horde Turba 'services/obrowser/index.php' HTML Injection Vulnerability

Source: SECTRACK
Type: UNKNOWN
1020566

Source: SECTRACK
Type: UNKNOWN
1020567

Source: XF
Type: UNKNOWN
horde-turba-index-xss(44198)

Source: XF
Type: UNKNOWN
horde-turba-index-xss(44198)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:debian:horde:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:debian:turba:2.2:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:horde:horde:3.2:*:*:*:*:*:*:*
  • AND
  • cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20083330
    V
    		CVE-2008-3330
    2015-11-16
    oval:org.mitre.oval:def:8165
    P
    		DSA-1765 horde3 -- Multiple vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:13562
    P
    		DSA-1765-1 horde3 -- Multiple vulnerabilities
    2014-06-23
    oval:org.debian:def:1765
    V
    		Multiple vulnerabilities
    2009-04-08
    BACK
    debian horde 3.2
    debian turba 2.2
    horde horde 3.2
    debian debian linux 4.0