CVE-2002-2024

low-risk

Published 2002-12-31

Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3, (2) login.php3?reason=chpass2, (3) spelling.php3, and (4) ldap.search.php3?ldap_serv=nonsense which leaks the information in error messages.

Do I need to act?

0.39% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Imp

Affected Vendors

Horde

References (6)

http://bugs.horde.org/show_bug.cgi?id=916

http://www.iss.net/security_center/static/8768.php

http://www.securityfocus.com/bid/4445

http://bugs.horde.org/show_bug.cgi?id=916

http://www.iss.net/security_center/static/8768.php

http://www.securityfocus.com/bid/4445

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal