Description
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1) tasks view or (2) search view.
References (12)
Core 12
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html
Various Sources x_refsource_confirm
http://bugs.horde.org/ticket/11189
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/82382
Vendor Advisory mailing-list
x_refsource_mlist
http://lists.horde.org/archives/announce/2012/000773.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/11/23/3
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/11/23/7
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/82371
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1027106
Vendor Advisory x_refsource_confirm
https://github.com/horde/horde/blob/master/kronolith/docs/CHANGES
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51469
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/56541
Patch x_refsource_confirm
http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
Scores
EPSS
0.0065
EPSS Percentile
70.9%
Details
CWE
CWE-79
Status
published
Products (25)
horde/groupware
4.0 (3 CPE variants)
horde/groupware
4.0.1
horde/groupware
4.0.2
horde/groupware
4.0.3
horde/groupware
4.0.4
horde/groupware
4.0.5
horde/groupware
4.0.6
horde/groupware
< 4.0.7
horde/kronolith_h4
3.0 (5 CPE variants)
horde/kronolith_h4
3.0.1
... and 15 more
Published
Apr 05, 2014
Tracked Since
Feb 18, 2026