Vulnerability Name:

CVE-2010-3077 (CCN-62119)

Assigned:2010-09-28
Published:2010-09-28
Updated:2011-07-12
Summary:Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2010-3077

Source: CONFIRM
Type: Patch
http://git.horde.org/diff.php/horde/util/icon_browser.php?rt=horde-git&r1=a978a35c3e95e784253508fd4333d2fbb64830b6&r2=9342addbd2b95f184f230773daa4faf5ef6d65e9

Source: FEDORA
Type: UNKNOWN
FEDORA-2010-16592

Source: FEDORA
Type: UNKNOWN
FEDORA-2010-16555

Source: MLIST
Type: Patch, Vendor Advisory
[announce] 20100928 Horde 3.3.9 (final)

Source: CCN
Type: Horde Web Site
Horde Groupware Webmail Edition 1.2.7 (final)

Source: FULLDISC
Type: Exploit, Patch
20100906 XSS in Horde Application Framework <=3.3.8, icon_browser.php

Source: CCN
Type: SA41579
Horde Groupware Webmail Edition Two Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
42140

Source: DEBIAN
Type: DSA-2278
horde3 -- several vulnerabilities

Source: CCN
Type: Horde Groupware Webmail Web site
Horde Groupware Webmail Edition

Source: CCN
Type: OSVDB ID: 67839
Horde Application Framework util/icon_browser.php subdir Parameter XSS

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=630687

Source: XF
Type: UNKNOWN
horde-groupwarewebmail-iconbrowser-xss(62119)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:horde:horde_application_framework:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:1.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.0:rc4:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.6:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:2.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0:alpha:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0:beta:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.3:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.4:rc2:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.5:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.5:rc2:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.6:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1:rc2:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1:rc3:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.1.9:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2:alpha:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2:rc2:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2:rc3:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2:rc4:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.4:rc1:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:3.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:horde:horde_application_framework:*:*:*:*:*:*:*:* (Version <= 3.3.8)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:12816
    P
    		DSA-2278-1 horde3 -- several
    2014-06-23
    oval:com.ubuntu.precise:def:20103077000
    V
    		CVE-2010-3077 on Ubuntu 12.04 LTS (precise) - medium.
    2010-11-09
    BACK
    horde horde application framework 1.0.3
    horde horde application framework 1.1.1
    horde horde application framework 1.3.0
    horde horde application framework 1.3.1
    horde horde application framework 1.3.2
    horde horde application framework 1.3.3
    horde horde application framework 1.3.4
    horde horde application framework 1.3.5
    horde horde application framework 2.0
    horde horde application framework 2.0 rc1
    horde horde application framework 2.0 rc3
    horde horde application framework 2.0 rc4
    horde horde application framework 2.1
    horde horde application framework 2.2
    horde horde application framework 2.2.1
    horde horde application framework 2.2.2
    horde horde application framework 2.2.3
    horde horde application framework 2.2.4
    horde horde application framework 2.2.5
    horde horde application framework 2.2.6
    horde horde application framework 2.2.6 rc1
    horde horde application framework 2.2.7
    horde horde application framework 2.2.8
    horde horde application framework 2.2.9
    horde horde application framework 3.0
    horde horde application framework 3.0 alpha
    horde horde application framework 3.0 beta
    horde horde application framework 3.0 rc1
    horde horde application framework 3.0 rc2
    horde horde application framework 3.0 rc3
    horde horde application framework 3.0.1
    horde horde application framework 3.0.2
    horde horde application framework 3.0.3
    horde horde application framework 3.0.3 rc1
    horde horde application framework 3.0.4
    horde horde application framework 3.0.4 rc1
    horde horde application framework 3.0.4 rc2
    horde horde application framework 3.0.5
    horde horde application framework 3.0.5 rc1
    horde horde application framework 3.0.5 rc2
    horde horde application framework 3.0.6
    horde horde application framework 3.0.6 rc1
    horde horde application framework 3.0.7
    horde horde application framework 3.0.8
    horde horde application framework 3.0.9
    horde horde application framework 3.0.10
    horde horde application framework 3.0.11
    horde horde application framework 3.0.12
    horde horde application framework 3.1
    horde horde application framework 3.1 rc1
    horde horde application framework 3.1 rc2
    horde horde application framework 3.1 rc3
    horde horde application framework 3.1.1
    horde horde application framework 3.1.2
    horde horde application framework 3.1.3
    horde horde application framework 3.1.4
    horde horde application framework 3.1.4 rc1
    horde horde application framework 3.1.5
    horde horde application framework 3.1.6
    horde horde application framework 3.1.7
    horde horde application framework 3.1.8
    horde horde application framework 3.1.9
    horde horde application framework 3.2
    horde horde application framework 3.2 alpha
    horde horde application framework 3.2 rc1
    horde horde application framework 3.2 rc2
    horde horde application framework 3.2 rc3
    horde horde application framework 3.2 rc4
    horde horde application framework 3.2.1
    horde horde application framework 3.2.2
    horde horde application framework 3.2.3
    horde horde application framework 3.2.4
    horde horde application framework 3.2.5
    horde horde application framework 3.3
    horde horde application framework 3.3 rc1
    horde horde application framework 3.3.1
    horde horde application framework 3.3.2
    horde horde application framework 3.3.3
    horde horde application framework 3.3.4
    horde horde application framework 3.3.4 rc1
    horde horde application framework 3.3.5
    horde horde application framework 3.3.6
    horde horde application framework 3.3.7
    horde horde application framework *