[Tickets #14926] Re: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
noreply at bugs.horde.org
noreply at bugs.horde.org
Wed Dec 4 15:10:37 UTC 2019
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: https://bugs.horde.org/ticket/14926
------------------------------------------------------------------------------
Ticket | 14926
Updated By | roberto at debian.org
Summary | Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing
| Emails <= v5.2.22
Queue | Horde Groupware
Version | 5.2.22
Type | Bug
State | Resolved
Priority | 3. High
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
roberto at debian.org (2019-12-04 15:10) wrote:
Thanks for the follow-up. I also asked MITRE and they offered the
following clarification:
> The stored XSS should be considered part of the CSRF vulnerability
> in CVE-2019-12095, with the CSRF being the primary vulnerability.
> The reflected XSS vectors are all covered by CVE-2019-12094.
The CVE database entries have been updated as to be more clear.
More information about the bugs
mailing list