CVE-2021-26929
Summary
| CVE | CVE-2021-26929 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-02-14 04:15:00 UTC |
|---|
| Updated | 2021-04-19 20:21:00 UTC |
|---|
| Description | An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Releases · horde/webmail · GitHub |
MISC |
github.com |
Third Party Advisory |
| [CVE-2021-26929] Horde Groupware Webmail Edition 5.2.22 - Stored XSS in received emails |
MISC |
www.alexbirnberg.com |
Exploit, Third Party Advisory |
| Webmail Edition 5.2.22 XSS / Remote Code Execution ≈ Packet Storm |
MISC |
packetstormsecurity.com |
|
| [SECURITY] [DLA 2564-1] php-horde-text-filter security update |
MLIST |
lists.debian.org |
Mailing List, Third Party Advisory |
| [announce] [SECURITY] CVE 2021-26929: XSS vulnerability in Horde_Text_Filter |
CONFIRM |
lists.horde.org |
Mailing List, Vendor Advisory |
| Horde Groupware Webmail 5.2.22 Cross Site Scripting ≈ Packet Storm |
MISC |
packetstormsecurity.com |
|
| Webmail - The Horde Project |
MISC |
www.horde.org |
Vendor Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 180080 Debian Security Update for php-horde-text-filter (CVE-2021-26929)
