Vulnerability CVE-2010-3693

Vulnerability CVE-2010-3693

Published: 2011-04-04 Modified: 2012-02-13

Description:

Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
4.3/10	2.9/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
None	Partial	None

Affected software
Horde -> Dynamic imp
Horde -> Groupware

References:

http://openwall.com/lists/oss-security/2010/10/01/6

http://openwall.com/lists/oss-security/2010/09/30/8

http://openwall.com/lists/oss-security/2010/09/30/7

http://lists.horde.org/archives/announce/2010/000568.html

http://lists.horde.org/archives/announce/2010/000561.html

http://git.horde.org/diff.php/imp/lib/Views/ListMessages.php?rt=horde-git&r1=b496687e2e71f3ebaecdff5ee49561fbfc1c74cb&r2=48913cf3af81875d6e5c6f32e030c5913f22f25d

http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde&r1=1.35.2.11&r2=1.35.2.13&ty=h

http://bugs.horde.org/ticket/9240

http://xforce.iss.net/xforce/xfdb/62080

http://www.vupen.com/english/advisories/2010/2522

http://www.osvdb.org/68267

http://secunia.com/advisories/41639

http://cvs.horde.org/diff.php/dimp/docs/CHANGES?rt=horde&r1=1.69.2.82&r2=1.69.2.87&ty=h

Vulnerability CVE-2010-3693

Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names.

CWE-79

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

4.3/10

2.9/10

8.6/10

Remote

Medium

No required

None

Partial

None

Affected software

References: