[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

250108

 
 

909

 
 

196064

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2008-0807Date: (C)2008-02-18   (M)2023-12-22


lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 4.9
Exploit Score: 6.8
Impact Score: 4.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: NONE
  
Reference:
SECTRACK-1019433
BID-27844
SECUNIA-28982
SECUNIA-29071
SECUNIA-29184
SECUNIA-29185
SECUNIA-29186
ADV-2008-0593
DSA-1507
FEDORA-2008-2040
FEDORA-2008-2087
http://lists.horde.org/archives/announce/2008/000380.html
http://lists.horde.org/archives/announce/2008/000381.html
http://lists.horde.org/archives/announce/2008/000378.html
http://lists.horde.org/archives/announce/2008/000379.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
https://bugzilla.redhat.com/show_bug.cgi?id=432027

CPE    1
cpe:/o:debian:debian_linux:4.0
CWE    1
CWE-264
OVAL    1
oval:org.mitre.oval:def:8049

© SecPod Technologies