CVE-2009-3237

Horde Application Framework - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME "text parts" that are not properly handled in the MIME viewer library (config/mime_drivers.php).

References (12)

Scores

EPSS 0.0076
EPSS Percentile 73.1%

Classification

CWE
CWE-79
Status published

Affected Products (36)

horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_application_framework
horde/horde_groupware
horde/horde_groupware
horde/horde_groupware
horde/horde_groupware
horde/horde_groupware
... and 21 more

Timeline

Published Sep 17, 2009
Tracked Since Feb 18, 2026