XSS in Horde Groupware

CVE-2012-5566

Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Groupware Webmail Edition before 4.0.8, allow remote attackers to inject arbitrary web script or HTML via the (1…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.006 (71.2th percentile) — read the EPSS interpretation.

Affected products

Horde Groupware — versions 4.0, 4.0.1, 4.0.2
Horde Kronolith_h4 — versions 3.0, 3.0.1, 3.0.2
N/a — versions n/a

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

openSUSE-SU-2012:1625 (vendor-advisory, x_refsource_SUSE)
secalert@redhat.com (x_refsource_CONFIRM)
82382 (x_refsource_OSVDB, vdb-entry)
[announce] 20120529 Horde Groupware Webmail Edition 4.0.8 (final) (Vendor Advisory, mailing-list, x_refsource_MLIST)
[oss-security] 20121123 CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws (mailing-list, x_refsource_MLIST)
[oss-security] 20121123 Re: CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws (mailing-list, x_refsource_MLIST)
82371 (x_refsource_OSVDB, vdb-entry)
1027106 (vdb-entry, x_refsource_SECTRACK)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
51469 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)