CVE Vulnerability

CVE-2008-0807

lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.

4.9 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

References
Link Resource
http://lists.horde.org/archives/announce/2008/000380.html Patch
http://lists.horde.org/archives/announce/2008/000381.html Patch
http://lists.horde.org/archives/announce/2008/000379.html Patch
http://lists.horde.org/archives/announce/2008/000378.html Patch
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
http://www.securityfocus.com/bid/27844 Patch
http://secunia.com/advisories/28982 Vendor Advisory
http://www.debian.org/security/2008/dsa-1507
http://www.securitytracker.com/id?1019433
http://secunia.com/advisories/29071
https://bugzilla.redhat.com/show_bug.cgi?id=432027
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html
http://secunia.com/advisories/29184
http://secunia.com/advisories/29185
http://secunia.com/advisories/29186
http://www.vupen.com/english/advisories/2008/0593/references
Configurations

Configuration 1
Information

Published : 2008-02-19 01:00

Updated : 2011-03-08 03:05

NVD link : CVE-2008-0807

Mitre link : CVE-2008-0807

Products Affected
No products.
CWE
CWE-264