CVE-2016-2228

Published: Apr 13, 2016Modified: May 6, 2026

6.1

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via the searchfield parameter, as demonstrated by a request to xplorer/gollem/manager.php.

Affected (5)

Products: Debian: Debian Linux · Horde: Groupware, Horde Groupware · Fedoraproject: Fedora

1 product

2 products

Horde Groupware

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Horde Groupware	Up to 5.2.11
Horde Horde Groupware	Up to 5.2.11

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 22
Fedoraproject Fedora	Version 23

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (20)

http://bugs.horde.org/ticket/14213

Source: security@debian.org

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html

Source: security@debian.org

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html

Source: security@debian.org

http://lists.horde.org/archives/announce/2016/001148.html

Source: security@debian.org

Vendor Advisory

http://lists.horde.org/archives/announce/2016/001149.html

Source: security@debian.org

Vendor Advisory

http://www.debian.org/security/2016/dsa-3497

Source: security@debian.org

http://www.openwall.com/lists/oss-security/2016/02/06/4

Source: security@debian.org

http://www.openwall.com/lists/oss-security/2016/02/06/5

Source: security@debian.org

https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES

Source: security@debian.org

https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8

Source: security@debian.org

Exploit

http://bugs.horde.org/ticket/14213

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177484.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177584.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.horde.org/archives/announce/2016/001148.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://lists.horde.org/archives/announce/2016/001149.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.debian.org/security/2016/dsa-3497

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2016/02/06/4

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2016/02/06/5

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/horde/horde/blob/e838d4c800b0d1ecaf8b4cc613fd3af4f994c79c/bundles/webmail/docs/CHANGES

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.