XSS in Horde Groupware

CVE-2010-3695

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchma…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.012 (79.0th percentile) — read the EPSS interpretation.

Affected products

Horde Groupware — versions 1.0, 1.0.1, 1.0.2
Horde Imp — versions 2.0, 2.2, 2.2.1
N/a — versions n/a

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

[announce] 20100928 Horde Groupware Webmail Edition 1.2.7 (final) (mailing-list, x_refsource_MLIST)
43515 (Exploit, vdb-entry, x_refsource_BID)
DSA-2204 (vendor-advisory, x_refsource_DEBIAN)
secalert@redhat.com (x_refsource_CONFIRM, Patch)
[oss-security] 20101001 Re: CVE request: Horde Gollem <1.1.2 XSS in view.php (mailing-list, x_refsource_MLIST, Patch)
secalert@redhat.com (x_refsource_CONFIRM)
20100927 XSS in Horde IMP <=4.3.7, fetchmailprefs.php (mailing-list, x_refsource_BUGTRAQ)
20100927 XSS in Horde IMP <=4.3.7, fetchmailprefs.php (mailing-list, Exploit, x_refsource_FULLDISC)
[announce] 20100928 IMP H3 (4.3.8) (final) (mailing-list, x_refsource_MLIST, Patch)
secalert@redhat.com (x_refsource_CONFIRM)