CVE-2012-5565 : Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet

Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Horde Groupware Webmail Edition before 4.0.9, allows remote attackers to inject arbitrary web script or HTML via a crafted name for an attached file, related to the dynamic view.

Published 2014-04-05 21:55:06

Updated 2025-04-12 10:46:41

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2012-5565

Horde » IMP
Versions up to, including, (<=) 5.0.23
cpe:2.3:a:horde:imp:*:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.12
cpe:2.3:a:horde:imp:5.0.12:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.10
cpe:2.3:a:horde:imp:5.0.10:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.8
cpe:2.3:a:horde:imp:5.0.8:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.6
cpe:2.3:a:horde:imp:5.0.6:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.20
cpe:2.3:a:horde:imp:5.0.20:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.16
cpe:2.3:a:horde:imp:5.0.16:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.5
cpe:2.3:a:horde:imp:5.0.5:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.9
cpe:2.3:a:horde:imp:5.0.9:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.22
cpe:2.3:a:horde:imp:5.0.22:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.13
cpe:2.3:a:horde:imp:5.0.13:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.15
cpe:2.3:a:horde:imp:5.0.15:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.17
cpe:2.3:a:horde:imp:5.0.17:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.19
cpe:2.3:a:horde:imp:5.0.19:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.18
cpe:2.3:a:horde:imp:5.0.18:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.14
cpe:2.3:a:horde:imp:5.0.14:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.4
cpe:2.3:a:horde:imp:5.0.4:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.7
cpe:2.3:a:horde:imp:5.0.7:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.11
cpe:2.3:a:horde:imp:5.0.11:*:*:*:*:*:*:*
Matching versions
Horde » IMP » Version: 5.0.21
cpe:2.3:a:horde:imp:5.0.21:*:*:*:*:*:*:*
Matching versions
Horde » Groupware » Webamail Edition
Versions up to, including, (<=) 4.0.8
cpe:2.3:a:horde:groupware:*:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0.6 Webamail Edition
cpe:2.3:a:horde:groupware:4.0.6:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0.5 Webamail Edition
cpe:2.3:a:horde:groupware:4.0.5:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0.4 Webamail Edition
cpe:2.3:a:horde:groupware:4.0.4:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0.3 Webamail Edition
cpe:2.3:a:horde:groupware:4.0.3:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0.7 Webamail Edition
cpe:2.3:a:horde:groupware:4.0.7:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0.2 Webamail Edition
cpe:2.3:a:horde:groupware:4.0.2:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0 Webamail Edition
cpe:2.3:a:horde:groupware:4.0:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0 Update RC1 Webamail Edition
cpe:2.3:a:horde:groupware:4.0:rc1:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0.1 Webamail Edition
cpe:2.3:a:horde:groupware:4.0.1:*:webamail:*:*:*:*:*
Matching versions
Horde » Groupware » Version: 4.0 Update RC2 Webamail Edition
cpe:2.3:a:horde:groupware:4.0:rc2:webamail:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2012-5565

EPSS FAQ

0.30%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 50 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-5565

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2012-5565

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-5565

http://lists.horde.org/archives/announce/2012/000833.html

[announce] IMP H4 (5.0.24) (final)
http://lists.opensuse.org/opensuse-updates/2012-12/msg00020.html

openSUSE-SU-2012:1626-1: moderate: update for horde4-imp
http://www.openwall.com/lists/oss-security/2012/11/23/6

oss-security - Re: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments.
http://lists.horde.org/archives/announce/2012/000840.html

[announce] Horde Groupware Webmail Edition 4.0.9 (final)
Vendor Advisory

CVEs referencing this url
https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2

[mms] SECURITY: Fix obscure XSS issue if uploading a file in dynamic … · horde/horde@1550c6e · GitHub

Jump to

Vulnerability Details : CVE-2012-5565

Products affected by CVE-2012-5565

Exploit prediction scoring system (EPSS) score for CVE-2012-5565

CVSS scores for CVE-2012-5565

CWE ids for CVE-2012-5565

References for CVE-2012-5565