Vulnerability Details : CVE-2012-0791
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) composeCache, (2) rtemode, or (3) filename_* parameters to the compose page; (4) formname parameter to the contacts popup window; or (5) IMAP mailbox names. NOTE: some of these details are obtained from third party information.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2012-0791
- cpe:2.3:a:horde:imp:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:3.2.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0.4-git:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:horde:imp:5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:*:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:horde:groupware_webmail_edition:1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:*:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:horde:dynamic_imp:5.0.16:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-0791
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-0791
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-0791
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0791
-
http://www.openwall.com/lists/oss-security/2012/01/22/2
oss-security - Re: CVE Request -- Horde IMP -- Multiple XSS flaws fixed in v5.0.18
-
http://www.securityfocus.com/bid/51586
Multiple Horde Products Cross Site Scripting and HTML Injection Vulnerabilities
-
http://www.securitytracker.com/id?1026554
Horde Groupware Input Validation Flaws Permit Cross-Site Scripting Attacks - SecurityTracker
-
http://www.horde.org/apps/imp/docs/CHANGES
Documentation - IMP - The Horde Project
-
http://www.horde.org/apps/webmail/docs/RELEASE_NOTES
Documentation - Webmail - The Horde Project
-
http://www.horde.org/apps/webmail/docs/CHANGES
Documentation - Webmail - The Horde Project
-
http://www.securitytracker.com/id?1026553
Horde Internet Messaging Program (IMP) Input Validation Flaws Permit Cross-Site Scripting Attacks - SecurityTracker
-
http://www.horde.org/apps/imp/docs/RELEASE_NOTES
Documentation - IMP - The Horde Project
-
http://www.debian.org/security/2012/dsa-2485
Debian -- Security Information -- DSA-2485-1 imp4
Jump to