CVE-2017-16908
- Source
- https://cve.org/CVERecord?id=CVE-2017-16908
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16908.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-16908
- Downstream
- Published
- 2017-11-20T20:29:00.480Z
- Modified
- 2026-03-03T01:04:52.392478Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote code execution after compromising an administrator account, because the CVE-2015-7984 CSRF protection mechanism can then be bypassed.
- References
-
- https://lists.debian.org/debian-lts-announce/2020/08/msg00048.html
- http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
- https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716
- http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
- https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716
- http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
Affected packages
Git / github.com/horde/kronolith
Affected ranges
- Type
- GIT
- Repo
- https://github.com/horde/kronolith
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v3.*
v3.0.0
v3.0.0alpha1
v3.0.0beta1
v3.0.0rc1
v3.0.0rc2
v3.0.1
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v4.*
v4.0.0
v4.0.0beta1
v4.0.0beta2
v4.0.0rc1
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.1.0
v4.1.0beta1
v4.1.0beta2
v4.1.0rc1
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.0alpha1
v4.2.0alpha2
v4.2.0beta1
v4.2.0beta2
v4.2.0rc1
v4.2.0rc2
v4.2.1
v4.2.10
v4.2.11
v4.2.12
v4.2.13
v4.2.14
v4.2.15
v4.2.16
v4.2.17
v4.2.18
v4.2.19
v4.2.2
v4.2.20
v4.2.21
v4.2.22
v4.2.23
v4.2.24
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9