CVE-2019-12094

moderate-risk
Published 2019-10-24

Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=remove_f&user_name= or admin/config/diff.php?app= URI.

Do I need to act?

-
0.80% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Horde

References (12)

Exploit https://bugs.horde.org/ticket/14926
Exploit https://cxsecurity.com/issue/WLB-2019050199
Exploit https://numanozdemir.com/respdisc/horde/horde.mp4
Exploit https://numanozdemir.com/respdisc/horde/horde.txt
Exploit https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-I...
Exploit https://www.exploit-db.com/exploits/46903
Exploit https://bugs.horde.org/ticket/14926
Exploit https://cxsecurity.com/issue/WLB-2019050199
Exploit https://numanozdemir.com/respdisc/horde/horde.mp4
Exploit https://numanozdemir.com/respdisc/horde/horde.txt
Exploit https://packetstormsecurity.com/files/152975/Horde-Webmail-5.2.22-XSS-CSRF-SQL-I...
Exploit https://www.exploit-db.com/exploits/46903
31
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal