CVE-2015-8807

NameCVE-2015-8807
DescriptionCross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3496-1
NVD severitymedium (attack range: remote)
Debian Bugs813590

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-horde-core (PTS)jessie (security), jessie2.15.0+debian0-1+deb8u1fixed
stretch2.27.6+debian1-2fixed
buster, sid2.30.2+debian0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-horde-coresource(unstable)2.22.4+debian0-1medium813590
php-horde-coresourcejessie2.15.0+debian0-1+deb8u1mediumDSA-3496-1

Notes

https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
http://www.openwall.com/lists/oss-security/2016/02/06/4

Search for package or bug name: Reporting problems