Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2009-4363

Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."

Published

2009-12-21T16:30:00.483

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	horde	application_framework	≤ 3.3.5	Yes
Application	horde	application_framework	2.0	Yes
Application	horde	application_framework	2.1	Yes
Application	horde	application_framework	2.1.3	Yes
Application	horde	application_framework	2.2	Yes
Application	horde	application_framework	2.2.1	Yes
Application	horde	application_framework	2.2.3	Yes
Application	horde	application_framework	2.2.4	Yes
Application	horde	application_framework	2.2.4_rc1	Yes
Application	horde	application_framework	2.2.5	Yes
Application	horde	application_framework	2.2.6	Yes
Application	horde	application_framework	3.0	Yes
Application	horde	application_framework	3.0.1	Yes
Application	horde	application_framework	3.0.2	Yes
Application	horde	application_framework	3.0.3	Yes
Application	horde	application_framework	3.0.4	Yes
Application	horde	application_framework	3.0.6	Yes
Application	horde	application_framework	3.0.7	Yes
Application	horde	application_framework	3.0.8	Yes
Application	horde	application_framework	3.0.9	Yes
Application	horde	application_framework	3.1	Yes
Application	horde	application_framework	3.1.1	Yes
Application	horde	application_framework	3.2	Yes
Application	horde	application_framework	3.2.1	Yes
Application	horde	application_framework	3.2.2	Yes
Application	horde	application_framework	3.2.3	Yes
Application	horde	application_framework	3.2.4	Yes
Application	horde	application_framework	3.3	Yes
Application	horde	application_framework	3.3.1	Yes
Application	horde	application_framework	3.3.2	Yes
Application	horde	application_framework	3.3.3	Yes
Application	horde	application_framework	3.3.4	Yes
Application	horde	groupware	≤ 1.2.4	Yes
Application	horde	groupware	1.0	Yes
Application	horde	groupware	1.0.1	Yes
Application	horde	groupware	1.0.2	Yes
Application	horde	groupware	1.0.3	Yes
Application	horde	groupware	1.0.4	Yes
Application	horde	groupware	1.0.5	Yes
Application	horde	groupware	1.1	Yes
Application	horde	groupware	1.1.1	Yes
Application	horde	groupware	1.1.2	Yes
Application	horde	groupware	1.1.3	Yes
Application	horde	groupware	1.1.4	Yes
Application	horde	groupware	1.1.5	Yes
Application	horde	groupware	1.2	Yes
Application	horde	groupware	1.2	Yes
Application	horde	groupware	1.2.1	Yes
Application	horde	groupware	1.2.2	Yes
Application	horde	groupware	1.2.3	Yes
Application	horde	groupware	≤ 1.2.4	Yes
Application	horde	groupware	1.0	Yes
Application	horde	groupware	1.0	Yes
Application	horde	groupware	1.0	Yes
Application	horde	groupware	1.0.1	Yes
Application	horde	groupware	1.0.2	Yes
Application	horde	groupware	1.0.3	Yes
Application	horde	groupware	1.0.4	Yes
Application	horde	groupware	1.0.5	Yes
Application	horde	groupware	1.0.6	Yes
Application	horde	groupware	1.0.7	Yes
Application	horde	groupware	1.0.8	Yes
Application	horde	groupware	1.1	Yes
Application	horde	groupware	1.1	Yes
Application	horde	groupware	1.1	Yes
Application	horde	groupware	1.1	Yes
Application	horde	groupware	1.1	Yes
Application	horde	groupware	1.1.1	Yes
Application	horde	groupware	1.1.2	Yes
Application	horde	groupware	1.1.3	Yes
Application	horde	groupware	1.1.4	Yes
Application	horde	groupware	1.1.5	Yes
Application	horde	groupware	1.1.6	Yes
Application	horde	groupware	1.2	Yes
Application	horde	groupware	1.2	Yes
Application	horde	groupware	1.2.1	Yes
Application	horde	groupware	1.2.2	Yes
Application	horde	groupware	1.2.3	Yes
Application	horde	groupware	1.2.3	Yes

References

http://bugs.horde.org/ticket/8715 Exploit ([email protected])
http://bugs.horde.org/view.php?actionID=view_file&type=patch&file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch&ticket=8715 Exploit ([email protected])
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&ty=h ([email protected])
http://lists.horde.org/archives/announce/2009/000529.html Patch ([email protected])
http://marc.info/?l=horde-announce&m=126100750018478&w=2 Patch ([email protected])
http://marc.info/?l=horde-announce&m=126101076422179&w=2 Patch ([email protected])
http://securitytracker.com/id?1023365 ([email protected])
http://bugs.horde.org/ticket/8715 Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://bugs.horde.org/view.php?actionID=view_file&type=patch&file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch&ticket=8715 Exploit (af854a3a-2127-422b-91ae-364da2661108)
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&ty=h (af854a3a-2127-422b-91ae-364da2661108)
http://lists.horde.org/archives/announce/2009/000529.html Patch (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=horde-announce&m=126100750018478&w=2 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=horde-announce&m=126101076422179&w=2 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://securitytracker.com/id?1023365 (af854a3a-2127-422b-91ae-364da2661108)