Описание
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| php-horde-trean | unfixed | package | ||
| php-horde | fixed | 5.2.21+debian0-1 | package | |
| php-horde | fixed | 5.2.20+debian0-1+deb10u1 | buster | package |
| php-horde | fixed | 5.2.13+debian0-1+deb9u1 | stretch | package |
Примечания
https://github.com/horde/base/commit/81a7b53973506856db67e7f0b0263be29528aa75
https://bugs.horde.org/ticket/14926 (for the stored XSS)
Negligible impact for php-horde-trean, and unlikely that upstream will address
EPSS
Связанные уязвимости
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server. NOTE: treanBookmarkTags could, for example, be a stored XSS payload.
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the treanBookmarkTags parameter to the trean/ URI on a webmail server.
EPSS