CVE Vulnerability

CVE-2008-1284

Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.

6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

References
Link Resource
http://lists.horde.org/archives/announce/2008/000383.html
http://lists.horde.org/archives/announce/2008/000384.html
http://lists.horde.org/archives/announce/2008/000382.html Patch
http://www.securityfocus.com/bid/28153 Patch
http://secunia.com/advisories/29286 Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00253.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00301.html
http://secunia.com/advisories/29374 Vendor Advisory
http://www.debian.org/security/2008/dsa-1519
http://secunia.com/advisories/29400 Vendor Advisory
http://securityreason.com/securityalert/3726
http://security.gentoo.org/glsa/glsa-200805-01.xml
http://secunia.com/advisories/30047 Vendor Advisory
http://www.vupen.com/english/advisories/2008/0822/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41054
http://www.securityfocus.com/archive/1/489289/100/0/threaded
http://www.securityfocus.com/archive/1/489239/100/0/threaded
Configurations

Configuration 1

cpe:2.3:a:horde:horde:3.1.6:*:*:*:*:*:*:*
cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*
cpe:2.3:a:horde:groupware_webmail_edition:*:*:*:*:*:*:*:*
Information

Published : 2008-03-11 12:44

Updated : 2018-10-11 08:31

NVD link : CVE-2008-1284

Mitre link : CVE-2008-1284

Products Affected
No products.
CWE
CWE-20