Vulnerability Name:

CVE-2008-3823 (CCN-45030)

Assigned:2008-09-10
Published:2008-09-10
Updated:2018-10-11
Summary:Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of a MIME attachment in an e-mail message.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2008-3823

Source: CCN
Type: horde-announce Mailing List, 2008-09-10 9:22:47
Horde 3.1.9 (final)

Source: CCN
Type: horde-announce Mailing List, 2008-09-10 10:40:50
Horde 3.2.2 (final)

Source: MLIST
Type: Patch
[horde-announce] 20080910 [SECURITY] Horde 3.2.2 (final)

Source: CCN
Type: horde-announce Mailing List, 2008-09-10 11:28:12
Horde Groupware 1.0.7 (final)

Source: CCN
Type: horde-announce Mailing List, 2008-09-10 11:51:27
Horde Groupware Webmail Edition 1.0.8 (final)

Source: CCN
Type: horde-announce Mailing List, 2008-09-10 12:35:52
Horde Groupware 1.1.3 (final)

Source: CCN
Type: horde-announce Mailing List, 2008-09-10 13:08:36
Horde Groupware Webmail Edition 1.1.3 (final)

Source: MISC
Type: Patch
http://ocert.org/patches/2008-012/MIME.patch

Source: CCN
Type: SA31842
Horde Products MIME Library and HTML Message Script Insertion Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
31842

Source: SECUNIA
Type: UNKNOWN
31959

Source: SREASON
Type: UNKNOWN
4245

Source: DEBIAN
Type: UNKNOWN
DSA-1642

Source: DEBIAN
Type: DSA-1642
horde3 -- cross site scripting

Source: CCN
Type: Horde Web site
Horde Groupware Webmail Edition

Source: MISC
Type: UNKNOWN
http://www.ocert.org/advisories/ocert-2008-012.html

Source: MLIST
Type: Patch
[oss-security] 20080910 [oCERT-2008-012] Horde, Popoon frameworks common input sanitization errors (XSS)

Source: CCN
Type: OSVDB ID: 48138
Horde MIME Library MIME/MIME/Contents.php Email Attachment Filename XSS

Source: BUGTRAQ
Type: UNKNOWN
20080910 [oCERT-2008-012] Horde, Popoon frameworks common input sanitization errors (XSS)

Source: BID
Type: Exploit
31110

Source: CCN
Type: BID-31110
Horde MIME Attachment Filename Insufficient Filtering Cross-Site Scripting Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2008-2548

Source: XF
Type: UNKNOWN
horde-mime-xss(45030)

Source: XF
Type: UNKNOWN
horde-mime-xss(45030)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:horde:horde:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:3.2.1:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:horde:horde:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:3.2.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:8241
    P
    DSA-1642 horde3 -- crossite scripting
    2014-06-23
    oval:org.mitre.oval:def:18588
    P
    DSA-1642-1 horde3 - cross site scripting
    2014-06-23
    oval:org.debian:def:1642
    V
    cross site scripting
    2008-09-20
    BACK
    horde horde 3.2
    horde horde 3.2.1
    horde horde 3.2
    horde horde 3.2.1
    debian debian linux 4.0