Description
Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Exploits (3)
exploitdb
WRITEUP
VERIFIED
by Ivan Sanchez · textwebappsphp
https://www.exploit-db.com/exploits/31838
exploitdb
WRITEUP
VERIFIED
by Ivan Sanchez · textwebappsphp
https://www.exploit-db.com/exploits/31839
exploitdb
WRITEUP
VERIFIED
by Ivan Sanchez · textwebappsphp
https://www.exploit-db.com/exploits/31840
References (2)
Core 2
Core References
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/29365
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/42640
Scores
EPSS
0.0025
EPSS Percentile
47.8%
Details
CWE
CWE-79
Status
published
Products (3)
horde/groupware
horde/groupware_webmail_edition
horde/kronolith
Published
Jun 19, 2008
Tracked Since
Feb 18, 2026