CVE-2016-5303
MEDIUMHorde Groupware - Cross-Site Scripting via Text Filter API
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.
References (5)
Core 5
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/horde/horde/commit/30d5506c20d26efbb9942fbdc6f981a0bd333b97
Release Notes, Third Party Advisory mailing-list
x_refsource_mlist
http://marc.info/?l=horde-announce&m=147319066126665&w=2
Release Notes, Third Party Advisory mailing-list
x_refsource_mlist
http://marc.info/?l=horde-announce&m=147319089526753&w=2
Patch, Vendor Advisory x_refsource_confirm
https://github.com/horde/horde/commit/4d8176d1e9ef5cbd2b3fcacd9b9a4c8e482fb424
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94997
Scores
CVSS v3
6.1
EPSS
0.0151
EPSS Percentile
71.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
horde/groupware
5.2.15 (2 CPE variants)
Published
Dec 20, 2016
Tracked Since
Feb 18, 2026