What is CVE-2014-1691?

CVE-2014-1691 is a vulnerability in Horde Horde_application_framework, classified under Code Injection. Published 2014-04-01.

Is CVE-2014-1691 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Horde Horde_application_framework

CVE-2014-1691

The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.814 (99.2th percentile) — read the EPSS interpretation.

Affected products

Horde Horde_application_framework — versions 5.0.0, 5.0.1, 5.0.2
N/a — versions n/a

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

rapid7/metasploit-framework

References

cve@mitre.org (x_refsource_CONFIRM)
[oss-security] 20140128 Re: Remote code execution in horde < 5.1.1 (mailing-list, x_refsource_MLIST, Patch)
[oss-security] 20140128 Remote code execution in horde < 5.1.1 (mailing-list, x_refsource_MLIST, Patch)
[oss-security] 20140129 Re: Remote code execution in horde < 5.1.1 (mailing-list, x_refsource_MLIST)
DSA-2853 (vendor-advisory, x_refsource_DEBIAN)
cve@mitre.org (x_refsource_CONFIRM, Exploit, Patch)

Frequently asked questions

What is CVE-2014-1691?: CVE-2014-1691 is a vulnerability in Horde Horde_application_framework, classified under Code Injection. Published 2014-04-01.
Is CVE-2014-1691 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.