XSS in Horde Groupware

CVE-2012-5565

Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.003 (53.1th percentile) — read the EPSS interpretation.

Affected products

Horde Groupware — versions 4.0, 4.0.1, 4.0.2
Horde Imp — versions 5.0.4, 5.0.5, 5.0.6
N/a — versions n/a

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

openSUSE-SU-2012:1626 (vendor-advisory, x_refsource_SUSE)
[announce] 20121114 IMP H4 (5.0.24) (final) (mailing-list, x_refsource_MLIST)
secalert@redhat.com (x_refsource_CONFIRM)
[oss-security] 20121123 Re: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments. (mailing-list, x_refsource_MLIST)
[announce] 20121114 Horde Groupware Webmail Edition 4.0.9 (final) (Vendor Advisory, mailing-list, x_refsource_MLIST)