CVE-2008-0807
Summary
| CVE | CVE-2008-0807 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2008-02-19 01:00:00 UTC |
| Updated | 2011-03-08 03:05:00 UTC |
| Description | lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 4.0 | All | All | All |
| Operating System | Debian | Debian Linux | 4.0 | All | alpha | All |
| Operating System | Debian | Debian Linux | 4.0 | All | amd64 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | arm | All |
| Operating System | Debian | Debian Linux | 4.0 | All | hppa | All |
| Operating System | Debian | Debian Linux | 4.0 | All | ia-32 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | ia-64 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | m68k | All |
| Operating System | Debian | Debian Linux | 4.0 | All | mips | All |
| Operating System | Debian | Debian Linux | 4.0 | All | mipsel | All |
| Operating System | Debian | Debian Linux | 4.0 | All | powerpc | All |
| Operating System | Debian | Debian Linux | 4.0 | All | s-390 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | sparc | All |
| Operating System | Debian | Debian Linux | 4.0 | All | All | All |
| Operating System | Debian | Debian Linux | 4.0 | All | alpha | All |
| Operating System | Debian | Debian Linux | 4.0 | All | amd64 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | arm | All |
| Operating System | Debian | Debian Linux | 4.0 | All | hppa | All |
| Operating System | Debian | Debian Linux | 4.0 | All | ia-32 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | ia-64 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | m68k | All |
| Operating System | Debian | Debian Linux | 4.0 | All | mips | All |
| Operating System | Debian | Debian Linux | 4.0 | All | mipsel | All |
| Operating System | Debian | Debian Linux | 4.0 | All | powerpc | All |
| Operating System | Debian | Debian Linux | 4.0 | All | s-390 | All |
| Operating System | Debian | Debian Linux | 4.0 | All | sparc | All |
| Application | Horde | Groupware | 1.0.3 | All | All | All |
| Application | Horde | Groupware | 1.0.3 | All | All | All |
| Application | Horde | Groupware Webmail Edition | 1.0.4 | All | All | All |
| Application | Horde | Groupware Webmail Edition | 1.0.4 | All | All | All |
| Application | Horde | Turba Contact Manager | 2.1.6 | All | All | All |
| Application | Horde | Turba Contact Manager | 2.1.6 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian update for turba2 - Advisories - Secunia | SECUNIA | secunia.com | |
| [announce] Turba H3 (2.1.7) (final) | MLIST | lists.horde.org | Patch |
| [announce] Horde Groupware Webmail Edition 1.0.5 (final) | MLIST | lists.horde.org | Patch |
| [announce] Horde Groupware 1.0.4 (final) | MLIST | lists.horde.org | Patch |
| Fedora update for horde - Advisories - Secunia | SECUNIA | secunia.com | |
| [SECURITY] Fedora 7 Update: turba-2.1.7-1.fc7 | FEDORA | www.redhat.com | |
| Multiple Horde Products Security Bypass Vulnerability | BID | www.securityfocus.com | Patch |
| #464058 - turba2: Access rights not checked properly - Debian Bug report logs | CONFIRM | bugs.debian.org | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| Fedora update for turba - Advisories - Secunia | SECUNIA | secunia.com | |
| Multiple Horde Products Security Bypass - Advisories - Secunia | SECUNIA | secunia.com | Vendor Advisory |
| Horde Groupware Discloses Address Book Contacts to Remote Users - SecurityTracker | SECTRACK | www.securitytracker.com | |
| [SECURITY] Fedora 8 Update: turba-2.1.7-1.fc8 | FEDORA | www.redhat.com | |
| [announce] Turba H3 (2.2-RC3) | MLIST | lists.horde.org | Patch |
| Bug 432027 – CVE-2008-0807 turba: insufficient access checks | CONFIRM | bugzilla.redhat.com | |
| Fedora update for imp - Advisories - Secunia | SECUNIA | secunia.com | |
| Debian -- Security Information -- DSA-1507-1 turba2 | DEBIAN | www.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.