← Back

CVE-2009-3237

nvd nist
Published: Sep 17, 2009Modified: Apr 23, 2026

JSON object

Loading...
4.3
Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Exploitability: 8.6 / Impact: 2.9
Source: NVD

Description

Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; allow remote attackers to inject arbitrary web script or HTML via the (1) crafted number preferences that are not properly handled in the preference system (services/prefs.php), as demonstrated by the sidebar_width parameter; or (2) crafted unknown MIME "text parts" that are not properly handled in the MIME viewer library (config/mime_drivers.php).

Affected (35)

Horde
3 products
Horde Application Framework
Horde Groupware
Groupware
Configuration A
19 vulnerable
Vulnerable SoftwareAffected Versions
Horde
Horde Application Framework
Version 3.2.1
Horde Application Framework
Version 3.2.2
Horde Application Framework
Version 3.2.3
Horde Application Framework
Version 3.2.4
Horde Application Framework
Version 3.2
Horde Application Framework
Version 3.3.1
Horde Application Framework
Version 3.3.2
Horde Application Framework
Version 3.3.3
Horde Application Framework
Version 3.3.4
Horde Application Framework
Version 3.3
Horde
Horde Groupware
Version 1.1.1
Horde Groupware
Version 1.1.2
Horde Groupware
Version 1.1.3
Horde Groupware
Version 1.1.4
Horde Groupware
Version 1.1.5
Horde Groupware
Version 1.2.1
Horde Groupware
Version 1.2.2
Horde Groupware
Version 1.2.3
Horde Groupware
Version 1.2
Configuration B
16 vulnerable
Vulnerable SoftwareAffected Versions
Horde
Groupware
Version 1.1.1
Groupware
Version 1.1.2
Groupware
Version 1.1.3
Groupware
Version 1.1.4
Groupware
Version 1.1.6
Groupware
Version 1.1
Groupware
Version 1.1 rc1
Groupware
Version 1.1 rc2
Groupware
Version 1.1 rc3
Groupware
Version 1.1 rc4
Groupware
Version 1.2.1
Groupware
Version 1.2.2
Groupware
Version 1.2.3
Groupware
Version 1.2.3 rc1
Groupware
Version 1.2
Groupware
Version 1.2 rc1

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (24)

Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Patch
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Source: cve@mitre.org
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.