Jan Schneider

7 exploits Active since Jan 2014
CVE-2016-2228 WRITEUP MEDIUM WRITEUP
Debian Linux < 5.2.11 - XSS
Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php.
CVSS 6.1
CVE-2016-5303 WRITEUP MEDIUM WRITEUP
Horde Groupware - Cross-Site Scripting via Text Filter API
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.
CVSS 6.1
CVE-2012-6620 WRITEUP WRITEUP
Kronolith H4 < 3.0.17 - Cross-Site Scripting in Tasks and Search Views
Multiple cross-site scripting (XSS) vulnerabilities in the (1) tasks and (2) search views in Horde Kronolith H4 before 3.0.17 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2012-6640 WRITEUP WRITEUP
Horde Groupware Webmail Edition < 4.0.9 and IMP < 5.0.22 - Cross-Site Scripting via SVG Image Attachment
Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted SVG image attachment, a different vulnerability than CVE-2012-5565.
CVE-2017-14650 WRITEUP HIGH WRITEUP
Horde_Image 2.0.0-2.5.1 - Remote Code Execution via ImageMagick Command Line Index Field
A Remote Code Execution vulnerability has been found in the Horde_Image library when using the "Im" backend that utilizes ImageMagick's "convert" utility. It's not exploitable through any Horde application, because the code path to the vulnerability is not used by any Horde code. Custom applications using the Horde_Image library might be affected. This vulnerability affects all versions of Horde_Image from 2.0.0 to 2.5.1, and is fixed in 2.5.2. The problem is missing input validation of the index field in _raw() during construction of an ImageMagick command line.
CVSS 8.1
CVE-2020-8034 WRITEUP MEDIUM STUB
Gollem < 3.0.13 - Reflected Cross-Site Scripting via HTTP GET dir Parameter
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
CVSS 6.1
CVE-2022-26874 WRITEUP MEDIUM WRITEUP
Horde Mime_Viewer < 2.2.4 - Cross-Site Scripting via OpenOffice Document
lib/Horde/Mime/Viewer/Ooo.php in Horde Mime_Viewer before 2.2.4 allows XSS via an OpenOffice document, leading to account takeover in Horde Groupware Webmail Edition. This occurs after XSLT rendering.
CVSS 5.4