CVE-2007-1679

low-risk

Published 2007-03-26

Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages

Do I need to act?

0.47% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Groupware

Affected Vendors

Horde

References (10)

http://securityreason.com/securityalert/2487

http://www.securityfocus.com/archive/1/463819/100/0/threaded

http://www.securityfocus.com/archive/1/463911/100/0/threaded

http://www.securityfocus.com/bid/23136

https://exchange.xforce.ibmcloud.com/vulnerabilities/33228

http://securityreason.com/securityalert/2487

http://www.securityfocus.com/archive/1/463819/100/0/threaded

http://www.securityfocus.com/archive/1/463911/100/0/threaded

http://www.securityfocus.com/bid/23136

https://exchange.xforce.ibmcloud.com/vulnerabilities/33228

/ 100

low-risk

Severity 21/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal