CVE-2008-0807
First published: Fri Feb 08 2008(Updated: )
It was reported that turba does not properly check permissions on address books, allowing users to modify addresses in other users' address books. This problem affects both shared and non-shared address books. Knowing (or guessing) the object_id seems to be sufficient to allow modification of other users' addresses. More information can be found in Debian bug report, which also contains some proposed patches: <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058</a> Upstream bug report: <a href="http://bugs.horde.org/ticket/?id=6208">http://bugs.horde.org/ticket/?id=6208</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/3.1.6 | <1. | 1. |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Debian | =4.0 | |
| Horde Groupware Webmail Edition | =1.0.3 | |
| Horde Groupware | =1.0.4 | |
| Horde Turba Contact Manager H3 | =2.1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.horde.org/archives/announce/2008/000380.html
- http://lists.horde.org/archives/announce/2008/000381.html
- http://lists.horde.org/archives/announce/2008/000379.html
- http://lists.horde.org/archives/announce/2008/000378.html
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
- http://www.securityfocus.com/bid/27844
- http://secunia.com/advisories/28982
- http://www.debian.org/security/2008/dsa-1507
- http://www.securitytracker.com/id?1019433
- http://secunia.com/advisories/29071
- https://bugzilla.redhat.com/show_bug.cgi?id=432027
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html
- https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html
- http://secunia.com/advisories/29184
- http://secunia.com/advisories/29185
- http://secunia.com/advisories/29186
- http://www.vupen.com/english/advisories/2008/0593/references
- http://bugs.horde.org/ticket/?id=6208
- http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=94;filename=turba_2.1.7.patch;att=3;bug=464058
Frequently Asked Questions
What is the severity of CVE-2008-0807?
CVE-2008-0807 has high severity due to its potential for unauthorized modification of user address books.
How do I fix CVE-2008-0807?
To fix CVE-2008-0807, ensure that proper permission checks are implemented for accessing address books.
Which software is affected by CVE-2008-0807?
CVE-2008-0807 affects Horde Turba Contact Manager versions prior to 2.1.6.
Can CVE-2008-0807 affect shared address books?
Yes, CVE-2008-0807 affects both shared and non-shared address books, allowing unauthorized modifications.
What can happen if CVE-2008-0807 is exploited?
If exploited, CVE-2008-0807 could allow unauthorized users to modify or delete addresses in other users' address books.
- collector/nvd-historical
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-0807
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/debian
- canonical/debian
- version/debian/4.0
- vendor/horde
- canonical/horde groupware webmail edition
- version/horde groupware webmail edition/1.0.3
- canonical/horde groupware
- version/horde groupware/1.0.4
- canonical/horde turba contact manager h3
- version/horde turba contact manager h3/2.1.6