CVE-2015-8807

NameCVE-2015-8807
DescriptionCross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRenderer/Html.php in Horde Groupware before 5.2.12 and Horde Groupware Webmail Edition before 5.2.12 allows remote attackers to inject arbitrary web script or HTML via vectors involving numeric form fields.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-3496-1
Debian Bugs813590

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-horde-core (PTS)buster2.31.6+debian0-1fixed
bullseye2.31.16+debian0-2fixed
bookworm, sid, trixie2.31.18+debian0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-horde-coresourcejessie2.15.0+debian0-1+deb8u1DSA-3496-1
php-horde-coresource(unstable)2.22.4+debian0-1813590

Notes

https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
https://www.openwall.com/lists/oss-security/2016/02/06/4
Search for package or bug name: Reporting problems