Vulnerability Details : CVE-2008-0807
lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.
Products affected by CVE-2008-0807
- cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:turba_contact_manager:2.1.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-0807
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-0807
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:N |
6.8
|
4.9
|
NIST |
CWE ids for CVE-2008-0807
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-0807
-
http://www.securityfocus.com/bid/27844
Patch
-
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html
-
https://bugzilla.redhat.com/show_bug.cgi?id=432027
-
http://lists.horde.org/archives/announce/2008/000378.html
Patch
-
http://lists.horde.org/archives/announce/2008/000381.html
Patch
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
-
http://www.securitytracker.com/id?1019433
-
http://www.vupen.com/english/advisories/2008/0593/references
-
http://www.debian.org/security/2008/dsa-1507
-
http://lists.horde.org/archives/announce/2008/000379.html
Patch
-
http://lists.horde.org/archives/announce/2008/000380.html
Patch
-
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html
Jump to