Michael J Rubinsky - Security Researcher - Exploit Intelligence Platform

CVE-2015-8807 WRITEUP MEDIUM WRITEUP

Fedora - Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.

CVSS 6.1

View Code

CVE-2017-16906 WRITEUP MEDIUM WRITEUP

Horde Groupware 5.2.19-5.2.22 - Stored Cross-Site Scripting via Calendar Event URL Field

In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.

CVSS 5.4

View Code

CVE-2017-16907 WRITEUP MEDIUM WRITEUP

Horde Groupware 5.2.19 and 5.2.21 - Stored Cross-Site Scripting via Task List Color Field

In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.

CVSS 5.4

View Code

CVE-2017-16908 WRITEUP MEDIUM WRITEUP

Horde Groupware 5.2.19 - Stored Cross-Site Scripting via Resource Name Field

In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.

CVSS 5.4

View Code