vendor:
Horde Application Framework
by:
Juan Galiana Lara
6.3
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: Horde Application Framework
Affected Version From: Horde 3.3.5
Affected Version To: Horde 3.3.5
Patch Exists: YES
Related CWE: CVE-2009-3701
CPE: horde:horde:3.3.5
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: None
2009
Horde 3.3.5 “PHP_SELF” Cross-Site Scripting vulnerability
Input passed to 'PHP_SELF' variable is not properly filtered before being returned to the user. This can be explotied to inject arbitrary HTML or to execute arbitrary script code in a user's browser session in context of an affected site. In order to successfully exploit this vulnerability the targeted user has to be logged as an administrator.
Mitigation:
Upgrade to Horde 3.3.6