CVE-2008-2783

Horde Groupware - Cross-Site Scripting via Timestamp Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2008-2783. PoCs published by Ivan Sanchez.

AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in Horde Kronolith, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject arbitrary script code via the 'timestamp' parameter.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Exploits (3)

exploitdb WRITEUP VERIFIED
by Ivan Sanchez · textwebappsphp
https://www.exploit-db.com/exploits/31838

The provided text describes a cross-site scripting (XSS) vulnerability in Horde Kronolith, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject arbitrary script code via the 'timestamp' parameter.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Horde Kronolith (version not specified)
No auth needed
Prerequisites: Access to a vulnerable Horde Kronolith instance · Ability to craft a malicious URL with XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Ivan Sanchez · textwebappsphp
https://www.exploit-db.com/exploits/31839

The provided text describes a cross-site scripting (XSS) vulnerability in Horde Kronolith, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject arbitrary script code via the 'timestamp' parameter.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Horde Kronolith (version not specified)
No auth needed
Prerequisites: Access to a vulnerable Horde Kronolith instance · Ability to craft a malicious URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Ivan Sanchez · textwebappsphp
https://www.exploit-db.com/exploits/31840

The provided text describes a cross-site scripting (XSS) vulnerability in Horde Kronolith, where user-supplied input is not properly sanitized. The example URL demonstrates how an attacker could inject arbitrary script code into the browser context of an unsuspecting user.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: Horde Kronolith (version not specified)
No auth needed
Prerequisites: Access to a vulnerable Horde Kronolith instance · Ability to craft a malicious URL with XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/29365
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/42640

Scores

EPSS 0.0150
EPSS Percentile 71.0%

Details

CWE
CWE-79
Status published
Products (3)
horde/groupware
horde/groupware_webmail_edition
horde/kronolith
Published Jun 19, 2008
Tracked Since Feb 18, 2026