CVE-2009-3701: XSS
First published: Mon Dec 21 2009(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Horde Horde application framework | =3.0.2 | |
| Horde Groupware Webmail Edition | =1.1 | |
| Horde Horde application framework | =3.2.4 | |
| Horde Horde application framework | =2.1 | |
| Horde Groupware Webmail Edition | =1.0 | |
| Horde Groupware Webmail Edition | =1.2.2 | |
| Horde Horde application framework | =2.2.4_rc1 | |
| Horde Groupware Webmail Edition | =1.1.5 | |
| Horde Horde application framework | =3.2.1 | |
| Horde Horde application framework | <=3.3.5 | |
| Horde Horde application framework | =2.0 | |
| Horde Horde application framework | =3.3.2 | |
| Horde Horde application framework | =3.0.8 | |
| Horde Groupware Webmail Edition | =1.2.1 | |
| Horde Horde application framework | =3.0 | |
| Horde Groupware Webmail Edition | =1.0.2 | |
| Horde Horde application framework | =3.2.2 | |
| Horde Groupware Webmail Edition | <=1.2.4 | |
| Horde Groupware Webmail Edition | =1.0.1 | |
| Horde Groupware Webmail Edition | =1.0.5 | |
| Horde Horde application framework | =2.2 | |
| Horde Groupware Webmail Edition | =1.1.1 | |
| Horde Horde application framework | =2.2.3 | |
| Horde Horde application framework | =3.0.7 | |
| Horde Horde application framework | =2.2.1 | |
| Horde Horde application framework | =2.2.6 | |
| Horde Horde application framework | =2.1.3 | |
| Horde Horde application framework | =3.0.4 | |
| Horde Horde application framework | =3.1 | |
| Horde Groupware Webmail Edition | =1.0.3 | |
| Horde Horde application framework | =3.0.1 | |
| Horde Horde application framework | =3.0.6 | |
| Horde Horde application framework | =3.3.3 | |
| Horde Groupware Webmail Edition | =1.1.3 | |
| Horde Horde application framework | =2.2.5 | |
| Horde Horde application framework | =3.3.4 | |
| Horde Horde application framework | =3.2.3 | |
| Horde Horde application framework | =3.3.1 | |
| Horde Groupware Webmail Edition | =1.0.4 | |
| Horde Horde application framework | =3.2 | |
| Horde Groupware Webmail Edition | =1.2-rc1 | |
| Horde Groupware Webmail Edition | =1.2 | |
| Horde Horde application framework | =3.0.3 | |
| Horde Horde application framework | =2.2.4 | |
| Horde Horde application framework | =3.1.1 | |
| Horde Groupware Webmail Edition | =1.1.4 | |
| Horde Horde application framework | =3.0.9 | |
| Horde Horde application framework | =3.3 | |
| Horde Groupware Webmail Edition | =1.1.2 | |
| Horde Groupware Webmail Edition | =1.2.3 | |
| Horde Groupware Webmail Edition | =1.0-rc1 | |
| Horde Groupware Webmail Edition | =1.0-rc2 | |
| Horde Groupware Webmail Edition | =1.0.6 | |
| Horde Groupware Webmail Edition | =1.0.7 | |
| Horde Groupware Webmail Edition | =1.0.8 | |
| Horde Groupware Webmail Edition | =1.1-rc1 | |
| Horde Groupware Webmail Edition | =1.1-rc2 | |
| Horde Groupware Webmail Edition | =1.1-rc3 | |
| Horde Groupware Webmail Edition | =1.1-rc4 | |
| Horde Groupware Webmail Edition | =1.1.6 | |
| Horde Groupware Webmail Edition | =1.2.3-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/37351
- http://archives.neohapsis.com/archives/fulldisclosure/2009-12/0388.html
- http://secunia.com/advisories/37823
- http://marc.info/?l=horde-announce&m=126101076422179&w=2
- http://lists.horde.org/archives/announce/2009/000529.html
- http://secunia.com/advisories/37709
- http://securitytracker.com/id?1023365
- http://marc.info/?l=horde-announce&m=126100750018478&w=2
- http://www.vupen.com/english/advisories/2009/3549
- http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&ty=h
- http://www.vupen.com/english/advisories/2009/3572
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54817
- http://www.securityfocus.com/archive/1/508531/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2009-3701?
CVE-2009-3701 has a CVSS score that indicates it is a medium severity vulnerability, primarily affecting web applications.
How do I fix CVE-2009-3701?
To fix CVE-2009-3701, update your Horde Application Framework or Horde Groupware to the latest version, specifically 3.3.6 or later.
Which versions are affected by CVE-2009-3701?
CVE-2009-3701 affects multiple versions of Horde Application Framework before 3.3.6 and Horde Groupware before 1.2.5.
What type of vulnerability is CVE-2009-3701?
CVE-2009-3701 is classified as a cross-site scripting (XSS) vulnerability that allows attackers to inject arbitrary scripts.
Can CVE-2009-3701 be exploited remotely?
Yes, CVE-2009-3701 can be exploited remotely by attackers who gain access to the administration interface.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/horde
- canonical/horde horde application framework
- version/horde horde application framework/3.0.2
- canonical/horde groupware webmail edition
- version/horde groupware webmail edition/1.1
- version/horde horde application framework/3.2.4
- version/horde horde application framework/2.1
- version/horde groupware webmail edition/1.0
- version/horde groupware webmail edition/1.2.2
- version/horde horde application framework/2.2.4_rc1
- version/horde groupware webmail edition/1.1.5
- version/horde horde application framework/3.2.1
- version/horde horde application framework/3.3.5
- version/horde horde application framework/2.0
- version/horde horde application framework/3.3.2
- version/horde horde application framework/3.0.8
- version/horde groupware webmail edition/1.2.1
- version/horde horde application framework/3.0
- version/horde groupware webmail edition/1.0.2
- version/horde horde application framework/3.2.2
- version/horde groupware webmail edition/1.2.4
- version/horde groupware webmail edition/1.0.1
- version/horde groupware webmail edition/1.0.5
- version/horde horde application framework/2.2
- version/horde groupware webmail edition/1.1.1
- version/horde horde application framework/2.2.3
- version/horde horde application framework/3.0.7
- version/horde horde application framework/2.2.1
- version/horde horde application framework/2.2.6
- version/horde horde application framework/2.1.3
- version/horde horde application framework/3.0.4
- version/horde horde application framework/3.1
- version/horde groupware webmail edition/1.0.3
- version/horde horde application framework/3.0.1
- version/horde horde application framework/3.0.6
- version/horde horde application framework/3.3.3
- version/horde groupware webmail edition/1.1.3
- version/horde horde application framework/2.2.5
- version/horde horde application framework/3.3.4
- version/horde horde application framework/3.2.3
- version/horde horde application framework/3.3.1
- version/horde groupware webmail edition/1.0.4
- version/horde horde application framework/3.2
- version/horde groupware webmail edition/1.2-rc1
- version/horde groupware webmail edition/1.2
- version/horde horde application framework/3.0.3
- version/horde horde application framework/2.2.4
- version/horde horde application framework/3.1.1
- version/horde groupware webmail edition/1.1.4
- version/horde horde application framework/3.0.9
- version/horde horde application framework/3.3
- version/horde groupware webmail edition/1.1.2
- version/horde groupware webmail edition/1.2.3
- version/horde groupware webmail edition/1.0-rc1
- version/horde groupware webmail edition/1.0-rc2
- version/horde groupware webmail edition/1.0.6
- version/horde groupware webmail edition/1.0.7
- version/horde groupware webmail edition/1.0.8
- version/horde groupware webmail edition/1.1-rc1
- version/horde groupware webmail edition/1.1-rc2
- version/horde groupware webmail edition/1.1-rc3
- version/horde groupware webmail edition/1.1-rc4
- version/horde groupware webmail edition/1.1.6
- version/horde groupware webmail edition/1.2.3-rc1