{"api_version":"1","generated_at":"2026-05-14T21:38:21+00:00","cve":"CVE-2015-7984","urls":{"html":"https://cve.report/CVE-2015-7984","api":"https://cve.report/api/cve/CVE-2015-7984.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-7984","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-7984"},"summary":{"title":"CVE-2015-7984","description":"Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php.","state":"PUBLISHED","assigner":"mitre","published_at":"2015-11-19 20:59:09","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-352","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.8","severity":"","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://lists.horde.org/archives/announce/2015/001137.html","name":"http://lists.horde.org/archives/announce/2015/001137.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"[announce] [SECURITY] Horde Groupware 5.2.11 (final)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.htbridge.com/advisory/HTB23272","name":"https://www.htbridge.com/advisory/HTB23272","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"File Not Found","mime":"text/html","httpstatus":"404","archivestatus":"403"},{"url":"http://lists.horde.org/archives/announce/2015/001138.html","name":"http://lists.horde.org/archives/announce/2015/001138.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"[announce] [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.debian.org/security/2015/dsa-3391","name":"http://www.debian.org/security/2015/dsa-3391","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-3391-1 php-horde","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.horde.org/archives/announce/2015/001124.html","name":"http://lists.horde.org/archives/announce/2015/001124.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"[announce] [SECURITY] Horde 5.2.8 (final)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/38765/","name":"https://www.exploit-db.com/exploits/38765/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"Horde Groupware 5.2.10 - Cross-Site Request Forgery - PHP webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-7984","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7984","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"7984","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"7984","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"horde","cpe5":"groupware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"7984","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"horde","cpe5":"groupware","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"webmail","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"7984","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"horde","cpe5":"horde_application_framework","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T08:06:31.501Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"[announce] 20151021 [SECURITY] Horde 5.2.8 (final)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://lists.horde.org/archives/announce/2015/001124.html"},{"name":"[announce] 20151022 [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://lists.horde.org/archives/announce/2015/001138.html"},{"name":"38765","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/38765/"},{"name":"DSA-3391","tags":["vendor-advisory","x_refsource_DEBIAN","x_transferred"],"url":"http://www.debian.org/security/2015/dsa-3391"},{"name":"[announce] 20151022 [SECURITY] Horde Groupware 5.2.11 (final)","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://lists.horde.org/archives/announce/2015/001137.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.htbridge.com/advisory/HTB23272"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2015-10-21T00:00:00.000Z","descriptions":[{"lang":"en","value":"Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2016-12-05T22:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"[announce] 20151021 [SECURITY] Horde 5.2.8 (final)","tags":["mailing-list","x_refsource_MLIST"],"url":"http://lists.horde.org/archives/announce/2015/001124.html"},{"name":"[announce] 20151022 [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)","tags":["mailing-list","x_refsource_MLIST"],"url":"http://lists.horde.org/archives/announce/2015/001138.html"},{"name":"38765","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/38765/"},{"name":"DSA-3391","tags":["vendor-advisory","x_refsource_DEBIAN"],"url":"http://www.debian.org/security/2015/dsa-3391"},{"name":"[announce] 20151022 [SECURITY] Horde Groupware 5.2.11 (final)","tags":["mailing-list","x_refsource_MLIST"],"url":"http://lists.horde.org/archives/announce/2015/001137.html"},{"tags":["x_refsource_MISC"],"url":"https://www.htbridge.com/advisory/HTB23272"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2015-7984","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"[announce] 20151021 [SECURITY] Horde 5.2.8 (final)","refsource":"MLIST","url":"http://lists.horde.org/archives/announce/2015/001124.html"},{"name":"[announce] 20151022 [SECURITY] Horde Groupware Webmail Edition 5.2.11 (final)","refsource":"MLIST","url":"http://lists.horde.org/archives/announce/2015/001138.html"},{"name":"38765","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/38765/"},{"name":"DSA-3391","refsource":"DEBIAN","url":"http://www.debian.org/security/2015/dsa-3391"},{"name":"[announce] 20151022 [SECURITY] Horde Groupware 5.2.11 (final)","refsource":"MLIST","url":"http://lists.horde.org/archives/announce/2015/001137.html"},{"name":"https://www.htbridge.com/advisory/HTB23272","refsource":"MISC","url":"https://www.htbridge.com/advisory/HTB23272"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2015-7984","datePublished":"2015-11-19T20:00:00.000Z","dateReserved":"2015-10-26T00:00:00.000Z","dateUpdated":"2024-08-06T08:06:31.501Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2015-11-19 20:59:09","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-352","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"5.2.11","matchCriteriaId":"BF7D0049-BC4B-4AAB-88A9-29B4DF202DAD"},{"vulnerable":true,"criteria":"cpe:2.3:a:horde:groupware:*:*:*:*:webmail:*:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"5.2.11","matchCriteriaId":"A718E8E7-A300-4753-B2E6-02C41ED796DD"},{"vulnerable":true,"criteria":"cpe:2.3:a:horde:horde_application_framework:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"5.2.8","matchCriteriaId":"1C998570-A707-4AE9-AB33-11455C9262B5"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","matchCriteriaId":"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"7984","Ordinal":"1","Title":"CVE-2015-7984","CVE":"CVE-2015-7984","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"7984","Ordinal":"1","NoteData":"Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupware Webmail Edition before 5.2.11 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary (1) commands via the cmd parameter to admin/cmdshell.php, (2) SQL queries via the sql parameter to admin/sqlshell.php, or (3) PHP code via the php parameter to admin/phpshell.php.","Type":"Description","Title":"CVE-2015-7984"},{"CveYear":"2015","CveId":"7984","Ordinal":"2","NoteData":"2015-11-19","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"7984","Ordinal":"3","NoteData":"2016-12-05","Type":"Other","Title":"Modified"}]}}}