CVE-2009-3701
Horde Application Framework < 3.3.5 - XSS
Title source: ruleDescription
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.
Exploits (4)
exploitdb
WORKING POC
VERIFIED
by Juan Galiana Lara · textwebappsphp
https://www.exploit-db.com/exploits/33406
exploitdb
WRITEUP
VERIFIED
by Juan Galiana Lara · textwebappsphp
https://www.exploit-db.com/exploits/10512
exploitdb
WORKING POC
VERIFIED
by Juan Galiana Lara · textwebappsphp
https://www.exploit-db.com/exploits/33408
exploitdb
WRITEUP
VERIFIED
by Juan Galiana Lara · textwebappsphp
https://www.exploit-db.com/exploits/33407
References (13)
Scores
EPSS
0.0219
EPSS Percentile
84.2%
Classification
CWE
CWE-79
Status
published
Affected Products (50)
horde/application_framework
< 3.3.5
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
horde/application_framework
... and 35 more
Timeline
Published
Dec 21, 2009
Tracked Since
Feb 18, 2026