CVE-2014-4946

Horde IMP <6.1.8 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view.

References (6)

[Vendor Advisory] http://lists.horde.org/archives/announce/2014/001019.html

[Various Sources] http://lists.horde.org/archives/announce/2014/001025.html

[Various Sources] https://github.com/horde/horde/blob/4513649810f13a32f1193bdeed76f7d85a5efa05/bundles/webmail/docs/CHANGES

[Various Sources] https://github.com/horde/horde/blob/c0144ac03814a8c2cf6fc5ac0d1af2653e9ee139/imp/docs/CHANGES

View Writeup ZIP pw:eip

[Third Party Advisory] http://secunia.com/advisories/59770

[Third Party Advisory] http://secunia.com/advisories/59772

Scores

EPSS 0.0047

EPSS Percentile 64.6%

Details

CWE

CWE-79

Status published

Products (38)

horde/groupware < 5.1.4

horde/groupware

horde/groupware

horde/groupware

horde/groupware

horde/groupware

horde/groupware

horde/groupware

horde/groupware

horde/groupware

... and 28 more

Published Jul 14, 2014

Tracked Since Feb 18, 2026