Vulnerability Name:

CVE-2009-0931 (CCN-48285)

Assigned:2009-01-27
Published:2009-01-27
Updated:2009-03-18
Summary:Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3.2.4 and 3.3.3, and Horde Groupware before 1.1.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2009-0931

Source: CONFIRM
Type: Vendor Advisory
http://cvs.horde.org/co.php/groupware/docs/groupware/CHANGES?r=1.28.2.5

Source: CONFIRM
Type: UNKNOWN
http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.413.2.5

Source: CONFIRM
Type: UNKNOWN
http://cvs.horde.org/co.php/horde/docs/CHANGES?r=1.515.2.503

Source: CCN
Type: announce Mailing List, Tue Jan 27 15:09:41 UTC 2009
Horde 3.3.3 (final)

Source: MLIST
Type: Vendor Advisory
[announce] 20090127 Horde 3.3.3 (final)

Source: CCN
Type: announce Mailing List, Tue Jan 27 15:17:52 UTC 2009
Horde 3.2.4 (final)

Source: MLIST
Type: Vendor Advisory
[announce] 20090127 Horde 3.2.4 (final)

Source: CCN
Type: announce Mailing List, Tue Jan 27 17:37:00 UTC 2009
Horde Groupware 1.1.5 (final)

Source: MLIST
Type: Vendor Advisory
[announce] 20090127 Horde Groupware 1.1.5 (final)

Source: CCN
Type: SA33695
Horde / Horde Groupware Cross-Site Scripting and File Inclusion Vulnerability

Source: SECUNIA
Type: Vendor Advisory
33695

Source: CCN
Type: Horde Web site
The Horde Project

Source: CCN
Type: OSVDB ID: 51888
Horde Multile Products horde/services/portal/cloud_search.php Unspecified Parameter XSS

Source: BID
Type: Patch
33491

Source: CCN
Type: BID-33491
Horde Products Local File Include and Cross Site Scripting Vulnerabilities

Source: XF
Type: UNKNOWN
horde-cloudsearch-xss(48285)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:debian:horde:3.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:debian:horde:3.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:debian:horde:3.3:*:*:*:*:*:*:*
  • OR cpe:/a:debian:horde:*:*:*:*:*:*:*:* (Version <= 3.3.1)
  • OR cpe:/a:debian:horde:*:*:*:*:*:*:*:* (Version <= 3.3.2)
  • OR cpe:/a:debian:horde_groupware:*:*:*:*:*:*:*:* (Version <= 1.1.1)
  • OR cpe:/a:debian:horde_groupware:*:*:*:*:*:*:*:* (Version <= 1.1.2)
  • OR cpe:/a:debian:horde_groupware:*:*:*:*:*:*:*:* (Version <= 1.1.3)
  • OR cpe:/a:debian:horde_groupware:*:*:*:*:*:*:*:* (Version <= 1.1.4)

  • Configuration CCN 1:
  • cpe:/a:horde:horde:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_groupware:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_groupware:1.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_groupware:1.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_groupware:1.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_groupware:1.1.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    debian horde 3.2.2
    debian horde 3.2.3
    debian horde 3.3
    debian horde *
    debian horde *
    debian horde groupware *
    debian horde groupware *
    debian horde groupware *
    debian horde groupware *
    horde horde 3.2
    horde horde 3.2.1
    horde horde groupware 1.2
    horde horde groupware 1.1.3
    horde horde groupware 1.1.4
    horde horde groupware 1.1.2
    horde horde groupware 1.1.1