CVE-2017-16906
- Source
- https://cve.org/CVERecord?id=CVE-2017-16906
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16906.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-16906
- Downstream
- Published
- 2017-11-20T20:29:00.340Z
- Modified
- 2026-03-03T01:04:51.060756Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar -> New Event" action.
- References
-
- https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html
- http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
- https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d
- https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md
- http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
- https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d
- http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
- https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md
Affected packages
Git / github.com/horde/kronolith
Affected ranges
- Type
- GIT
- Repo
- https://github.com/horde/kronolith
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v3.*
v3.0.0
v3.0.0alpha1
v3.0.0beta1
v3.0.0rc1
v3.0.0rc2
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v4.*
v4.0.0
v4.0.0beta1
v4.0.0beta2
v4.0.0rc1
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.1.0
v4.1.0beta1
v4.1.0beta2
v4.1.0rc1
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.0alpha1
v4.2.0alpha2
v4.2.0beta1
v4.2.0beta2
v4.2.0rc1
v4.2.0rc2
v4.2.1
v4.2.10
v4.2.11
v4.2.12
v4.2.13
v4.2.14
v4.2.15
v4.2.16
v4.2.17
v4.2.18
v4.2.19
v4.2.2
v4.2.20
v4.2.21
v4.2.22
v4.2.23
v4.2.24
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9