Multiple Horde Products Private Tasks Security Bypass Vulnerability
BID:50800
Info
Multiple Horde Products Private Tasks Security Bypass Vulnerability
| Bugtraq ID: | 50800 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 24 2011 12:00AM |
| Updated: | Nov 24 2011 12:00AM |
| Credit: | samuel.wolf |
| Vulnerable: |
Horde Nag 3.0.5 Horde Horde Groupware Webmail Edition 4.0.3 Horde Horde Groupware 4.0.3 |
| Not Vulnerable: |
Horde Nag 3.0.6 Horde Horde Groupware Webmail Edition 4.0.4 Horde Horde Groupware 4.0.4 |
Discussion
Multiple Horde Products Private Tasks Security Bypass Vulnerability
Multiple Horde Products are prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass security restrictions to obtain sensitive information; this may aid in launching further attacks.
The following products are vulnerable:
Horde Groupware versions prior to 4.0.4
Horde Groupware Webmail Edition versions prior to 4.0.4
Nag versions prior to 3.0.6
Multiple Horde Products are prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass security restrictions to obtain sensitive information; this may aid in launching further attacks.
The following products are vulnerable:
Horde Groupware versions prior to 4.0.4
Horde Groupware Webmail Edition versions prior to 4.0.4
Nag versions prior to 3.0.6
Exploit / POC
Multiple Horde Products Private Tasks Security Bypass Vulnerability
Attackers can exploit this issue through a browser.
Attackers can exploit this issue through a browser.
Solution / Fix
Multiple Horde Products Private Tasks Security Bypass Vulnerability
Solution:
The vendor has released fixes and an advisory. Please see the references for details.
Solution:
The vendor has released fixes and an advisory. Please see the references for details.
References
Multiple Horde Products Private Tasks Security Bypass Vulnerability
References:
References:
- [#10712] Delegate can not see the description of a privat task (samuel (dot) wolf (at) wolf-maschinenbau (dot) de)
- commit:Don't display task details of private tasks via the API (Bug #10712) (Git)
- Horde Groupware Changelog (Horde)
- Horde Groupware Webmail Edition Changelog (Horde)
- Nag Changelog (Horde)
- Pandora Homepage (Pandora FMS Team)