XSS in Horde Horde_application_framework

CVE-2010-3077

Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter.

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.007 (73.2th percentile) — read the EPSS interpretation.

Affected products

Horde Horde_application_framework — versions 3.2.2, 3.3.7, 2.2.7
N/a — versions n/a

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

secalert@redhat.com (x_refsource_CONFIRM)
20100906 XSS in Horde Application Framework <=3.3.8, icon_browser.php (mailing-list, Exploit, x_refsource_FULLDISC, Patch)
FEDORA-2010-16592 (x_refsource_FEDORA, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Patch)
FEDORA-2010-16555 (x_refsource_FEDORA, vendor-advisory)
42140 (x_refsource_SECUNIA, third-party-advisory)
[announce] 20100928 Horde 3.3.9 (final) (Vendor Advisory, mailing-list, x_refsource_MLIST, Patch)