Published: 14/02/2021 Updated: 19/04/2021

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 385

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

An XSS issue exists in Horde Groupware Webmail Edition up to and including 5.2.22 (where the Horde_Text_Filter library prior to 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.

Vulnerable Product	Search on Vulmon	Subscribe to Product

Debian Bug report logs - #982769 php-horde-text-filter: CVE-2021-26929 Package: src:php-horde-text-filter; Maintainer for src:php-horde-text-filter is Horde Maintainers <team+debian-horde-team@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 14 Feb 2021 08:51:05 UTC Severity: grav ...

htmly version 280 suffers from a persistent cross site scripting vulnerability ...

Horde Groupware Webmail version 5222 suffers from a persistent cross site scripting vulnerability ...

Webmail Edition version 5222 suffers from remote code execution and cross site scripting vulnerabilities via the Horde_Text_Filter library ...

CWE-79 https://github.com/horde/webmail/releases https://lists.horde.org/archives/announce/2021/001298.html https://www.horde.org/apps/webmail https://www.alexbirnberg.com/horde-xss.html https://lists.debian.org/debian-lts-announce/2021/02/msg00028.html http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982769 https://nvd.nist.gov

CVE-2021-26929

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

References

Vulmon Search

About

Products

Connect