CVE-2009-4416

phpGroupWare <0.9.16.014 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in login.php in phpGroupWare 0.9.16.12, and possibly other versions before 0.9.16.014, allows remote attackers to inject arbitrary web script or HTML via an arbitrary parameter whose name begins with the "phpgw_" sequence.

References (9)

[Various Sources] http://svn.savannah.gnu.org/viewvc/branches/Version-0_9_16-branch/login.php?r1=19063&r2=19117&pathrev=19117&sortby=date&root=phpgroupware

[Various Sources] http://svn.savannah.gnu.org/viewvc/branches/Version-0_9_16-branch/phpgwapi/doc/CHANGELOG?r1=17045&r2=19117&pathrev=19117&sortby=date&root=phpgroupware

[Various Sources] http://svn.savannah.gnu.org/viewvc?view=rev&root=phpgroupware&sortby=date&revision=19117

[Patch] http://kambing.ui.ac.id/gentoo-portage/www-apps/phpgroupware/files/phpgroupware-SA35519.patch

[Vendor Advisory] http://secunia.com/advisories/35519

[Third Party Advisory, VDB Entry] http://www.osvdb.org/56179

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/51923

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/35761

[Mailing List] http://www.openwall.com/lists/oss-security/2009/12/20/1

Scores

EPSS 0.0056

EPSS Percentile 67.9%

Classification

CWE

CWE-79

Status published

Affected Products (2)

phpgroupware/phpgroupware

n/a/n/a

Timeline

Published Dec 24, 2009

Tracked Since Feb 18, 2026