Vulnerability Details : CVE-2012-5567
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Groupware Webmail Edition before 4.0.9, allow remote attackers to inject arbitrary web script or HTML via crafted event location parameters in the (1) month, (2) monthlist, or (3) prevmonthlist fields, related to portal blocks.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2012-5567
- cpe:2.3:a:horde:groupware:*:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0.6:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0.5:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0.4:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0.3:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0.7:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0.2:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0:rc1:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0.1:*:webamail:*:*:*:*:*
- cpe:2.3:a:horde:groupware:4.0:rc2:webamail:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:*:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:horde:kronolith_h4:3.0.16:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-5567
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-5567
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-5567
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-5567
-
http://lists.opensuse.org/opensuse-updates/2012-12/msg00019.html
openSUSE-SU-2012:1625-1: moderate: horde4-kronolith
-
http://www.securityfocus.com/bid/56541
Multiple Horde Products Multiple Unspecified HTML Injection Vulnerabilities
-
http://www.openwall.com/lists/oss-security/2012/11/23/7
oss-security - Re: CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws
-
http://lists.horde.org/archives/announce/2012/000836.html
[announce] Kronolith H4 (3.0.18) (final)
-
https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES
horde/CHANGES at d3dda2d47fad7eb128a0091e732cded0c2601009 · horde/horde · GitHubVendor Advisory
-
http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e
Horde :: Log in
-
http://www.openwall.com/lists/oss-security/2012/11/23/3
oss-security - CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws
-
https://bugzilla.redhat.com/show_bug.cgi?id=879684
879684 – (CVE-2012-5567) CVE-2012-5567 kronolith: Multiple XSS flaws in the portal blocks
Jump to