Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Horde

Source -

CNA

BOS Name -

Horde LLC

CNA CVEs -

3

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
3Vulnerabilities found
CVE-2025-30349
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-7.2||HIGH
EPSS-9.02% / 92.29%
||
7 Day CHG~0.00%
Published-21 Mar, 2025 | 00:00
Updated-03 Apr, 2025 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Horde IMP through 6.2.27, as used with Horde Application Framework through 5.2.23, allows XSS that leads to account takeover via a crafted text/html e-mail message with an onerror attribute (that may use base64-encoded JavaScript code), as exploited in the wild in March 2025.

Action-Not Available
Vendor-Horde LLC
Product-IMP
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-8865
Assigner-Zero Day Initiative
ShareView Details
Assigner-Zero Day Initiative
CVSS Score-6.3||MEDIUM
EPSS-3.90% / 87.81%
||
7 Day CHG~0.00%
Published-23 Mar, 2020 | 20:15
Updated-04 Aug, 2024 | 10:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within edit.php. When parsing the params[template] parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10469.

Action-Not Available
Vendor-Horde LLCDebian GNU/Linux
Product-debian_linuxgroupwareGroupware Webmail Edition
CWE ID-CWE-23
Relative Path Traversal
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-8866
Assigner-Zero Day Initiative
ShareView Details
Assigner-Zero Day Initiative
CVSS Score-4.3||MEDIUM
EPSS-3.42% / 86.99%
||
7 Day CHG~0.00%
Published-23 Mar, 2020 | 20:15
Updated-04 Aug, 2024 | 10:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The specific flaw exists within add.php. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the www-data user. Was ZDI-CAN-10125.

Action-Not Available
Vendor-Horde LLCDebian GNU/Linux
Product-debian_linuxgroupwarehorde_formGroupware Webmail Edition
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type