threat
engine
.sh
Back
·
··:··
Home
/
Product
/
horde groupware
Product
horde groupware
93 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-41066
all versions
Horde Groupware v5.2.22 has a user enumeration vulnerability that allows an unauthenticated attacker to determine the existence of
5.3
MEDIUM
CVE-2022-30287
<= 5.2.22
Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a dr
8.0
HIGH
CVE-2021-26929
<= 5.2.22
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is
6.1
MEDIUM
CVE-2020-8034
all versions
Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site
6.1
MEDIUM
CVE-2020-8035
< 5.2.22
The image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) v
6.1
MEDIUM
CVE-2020-8866
all versions
This vulnerability allows remote attackers to create arbitrary files on affected installations of Horde Groupware Webmail Edition
6.5
MEDIUM
CVE-2020-8865
all versions
This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition
6.3
MEDIUM
CVE-2020-8518
all versions
Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution.
9.8
CRITICAL
CVE-2013-6275
<= 5.1.2
Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earlier in basic.php.
6.5
MEDIUM
CVE-2013-6365
all versions
Horde Groupware Web mail 5.1.2 has CSRF with requests to change permissions
5.3
MEDIUM
CVE-2013-6364
all versions
Horde Groupware Webmail Edition has CSRF and XSS when saving search as a virtual address book
8.8
HIGH
CVE-2019-12095
<= 5.2.22
Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 and other products, allows CSRF, as demonstrated by the tre
8.8
HIGH
CVE-2019-12094
<= 5.2.22
Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin/user.php?form=update_f&user_name= or admin/user.php?form=re
6.1
MEDIUM
CVE-2019-9858
all versions
Remote code execution was discovered in Horde Groupware Webmail 5.2.22 and 5.2.17. Horde/Form/Type.php contains a vulnerable class
8.8
HIGH
CVE-2017-16908
all versions
In Horde Groupware 5.2.19, there is XSS via the Name field during creation of a new Resource. This can be leveraged for remote cod
5.4
MEDIUM
CVE-2017-16907
all versions
In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field in a Create Task List action.
5.4
MEDIUM
CVE-2017-16906
>= 5.2.19 and <= 5.2.22
In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a "Calendar - New Event" action.
5.4
MEDIUM
CVE-2017-15235
all versions
The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file
7.5
HIGH
CVE-2017-7414
all versions
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition 5.x through 5.2.17, OS Command Injection can occur if the
7.5
HIGH
CVE-2017-7413
<= 5.2.17
In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Edition through 5.2.17, OS Command Injection can occur if the atta
8.8
HIGH
CVE-2016-5303
all versions
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition befor
6.1
MEDIUM
CVE-2016-2228
<= 5.2.11
Cross-site scripting (XSS) vulnerability in horde/templates/topbar/_menubar.html.php in Horde Groupware before 5.2.12 and Horde Gr
6.1
MEDIUM
CVE-2015-8807
all versions
Cross-site scripting (XSS) vulnerability in the _renderVarInput_number function in horde/framework/Core/lib/Horde/Core/Ui/VarRende
6.1
MEDIUM
CVE-2015-7984
>= 5.0.0 and < 5.2.11
Multiple cross-site request forgery (CSRF) vulnerabilities in Horde before 5.2.8, Horde Groupware before 5.2.11, and Horde Groupwa
CVE-2014-4946
<= 5.1.4
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware
CVE-2014-4945
<= 5.1.4
Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware
CVE-2012-6640
<= 4.0.8
Cross-site scripting (XSS) vulnerability in Horde Internet Mail Program (IMP) before 5.0.22, as used in Horde Groupware Webmail Ed
CVE-2012-5567
<= 4.0.8
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.18, as used in Horde Gro
CVE-2012-5566
<= 4.0.7
Multiple cross-site scripting (XSS) vulnerabilities in Horde Kronolith Calendar Application H4 before 3.0.17, as used in Horde Gro
CVE-2012-5565
<= 4.0.8
Cross-site scripting (XSS) vulnerability in js/compose-dimp.js in Horde Internet Mail Program (IMP) before 5.0.24, as used in Hord
CVE-2014-1691
<= 5.1.0
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct obj
CVE-2012-0209
all versions
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and
CVE-2012-0909
<= 4.0.5
Cross-site scripting (XSS) vulnerability in Horde_Form in Horde Groupware Webmail Edition before 4.0.6 allows remote attackers to
CVE-2012-0791
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP before 5.0.18 and Horde Groupware Webmail Edition before 4.0.6 al
CVE-2010-4778
<= 1.2.6
Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail E
CVE-2010-3693
<= 1.2.6
Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.
CVE-2010-3695
<= 1.2.6
Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition befo
CVE-2010-3694
<= 3.3.8
Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack
CVE-2010-3077
<= 3.3.8
Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote at
CVE-2010-1638
all versions
The IMP plugin in Horde allows remote attackers to bypass firewall restrictions and use Horde as a proxy to scan internal networks
CVE-2010-0463
<= 4.3.6
Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messag
CVE-2009-4363
<= 1.2.4
Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Gro
CVE-2009-3701
<= 1.2.4
Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, H
CVE-2009-3237
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupwar
CVE-2009-3236
all versions
The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1
CVE-2008-7219
all versions
Horde Kronolith H3 2.1 before 2.1.7 and 2.2 before 2.2-RC2; Nag H3 2.1 before 2.1.4 and 2.2 before 2.2-RC2; Mnemo H3 2.1 before 2.
CVE-2008-7218
all versions
Unspecified vulnerability in the Horde API in Horde 3.1 before 3.1.6 and 3.2 before 3.2 before 3.2-RC2; Turba H3 2.1 before 2.1.6
CVE-2009-0932
all versions
Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 al
CVE-2009-0931
<= 3.3.1
Cross-site scripting (XSS) vulnerability in the tag cloud search script (horde/services/portal/cloud_search.php) in Horde before 3
CVE-2008-5917
all versions
Cross-site scripting (XSS) vulnerability in the XSS filter (framework/Text_Filter/Filter/xss.php) in Horde Application Framework 3
CVE-2008-3824
all versions
Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and
CVE-2008-3823
all versions
Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in the MIME library in Horde 3.2.x before 3.2.2 allows remote a
CVE-2008-3650
all versions
Multiple unspecified vulnerabilities in Horde Groupware Webmail before Edition 1.1.1 (final) have unknown impact and attack vector
CVE-2008-3330
all versions
Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inje
CVE-2008-2783
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote atta
CVE-2008-1974
all versions
Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware
CVE-2008-1284
<= 1.0.4
Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running
CVE-2008-0807
all versions
lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as
CVE-2007-6018
all versions
IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecifi
CVE-2007-1679
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbi
5.4
MEDIUM
CVE-2007-1515
<= 4.1.3
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject
CVE-2007-1474
all versions
Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.
CVE-2007-1473
all versions
Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contain
CVE-2007-0579
all versions
Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allow
CVE-2006-6175
all versions
Directory traversal vulnerability in lib/FBView.php in Horde Kronolith H3 before 2.0.7 and 2.1.x before 2.1.4 allows remote attack
CVE-2006-4256
all versions
index.php in Horde Application Framework before 3.1.2 allows remote attackers to include web pages from other sites, which could b
CVE-2006-4255
all versions
Cross-site scripting (XSS) vulnerability in horde/imp/search.php in Horde IMP H3 before 4.1.3 allows remote attackers to include a
CVE-2006-3549
all versions
services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image p
CVE-2006-3548
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 al
CVE-2006-2195
<= 3.0.9
Cross-site scripting (XSS) vulnerability in horde 3 (horde3) before 3.1.1 allows remote attackers to inject arbitrary web script o
CVE-2006-1491
all versions
Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attacker
CVE-2006-1260
all versions
Horde Application Framework 3.0.9 allows remote attackers to read arbitrary files via a null character in the url parameter in ser
CVE-2005-4190
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework before 3.0.8 allow remote authenticated users t
CVE-2005-4080
all versions
Horde IMP 4.0.4 and earlier does not sanitize strings containing UTF16 null characters, which allows remote attackers to conduct c
CVE-2005-3759
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde before 3.0.7 allow remote attackers to inject arbitrary web script or
CVE-2005-3570
all versions
Unspecified cross-site scripting (XSS) vulnerability in Horde before 2.2.9 allows remote attackers to inject arbitrary web script
CVE-2005-3344
all versions
The default installation of Horde 3.0.4 contains an administrative account with a blank password, which allows remote attackers to
CVE-2005-1319
<= 3.2.2
Cross-site scripting (XSS) vulnerability in Horde IMP Webmail client before 3.2.8 allows remote attackers to inject arbitrary web
CVE-2005-1314
all versions
Cross-site scripting (XSS) vulnerability in Horde Kronolith module before 1.1.4 allows remote attackers to inject arbitrary web sc
CVE-2005-0961
all versions
Cross-site scripting (XSS) vulnerability in Horde 3.0.4 before 3.0.4-RC2 allows remote attackers to inject arbitrary web script or
CVE-2005-0378
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Horde 3.0 allow remote attackers to inject arbitrary web script or HTML via
CVE-2004-2741
all versions
Cross-site scripting (XSS) vulnerability in the "help window" (help.php) in Horde Application Framework 2.2.6 allows remote attack
CVE-2004-1443
all versions
Cross-site scripting (XSS) vulnerability in the inline MIME viewer in Horde-IMP (Internet Messaging Program) 3.2.4 and earlier, wh
CVE-2004-0584
all versions
Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a "security fix," does not properly validate input, which allows remo
CVE-2003-0728
<= 2.2.4
Horde before 2.2.4 allows remote malicious web sites to steal session IDs and read or create arbitrary email by stealing the ID fr
CVE-2003-0025
all versions
Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities
CVE-2002-2024
all versions
Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3, (2) login.
5.3
MEDIUM
CVE-2002-0181
all versions
Cross-site scripting vulnerability in status.php3 for IMP 2.2.8 and HORDE 1.2.7 allows remote attackers to execute arbitrary web s
CVE-2001-0744
<= 2.2.4
Horde IMP 2.2.4 and earlier allows local users to overwrite files via a symlink attack on a temporary file.
CVE-2001-1258
all versions
Horde Internet Messaging Program (IMP) before 2.2.6 allows local users to read IMP configuration files and steal the Horde databas
CVE-2001-1257
all versions
Cross-site scripting vulnerability in Horde Internet Messaging Program (IMP) before 2.2.6 and 1.2.6 allows remote attackers to exe
CVE-2000-0911
all versions
IMP 2.2 and earlier allows attackers to read and delete arbitrary files by modifying the attachment_name hidden form variable, whi
CVE-2000-0910
all versions
Horde library 1.02 allows attackers to execute arbitrary commands via shell metacharacters in the "from" address.
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin