QwikSec

Security Database

CVE

CWE

Training

CVE-2021-26929

Published: Feb 14, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/horde/webmail/releases

x_refsource_MISC

https://www.horde.org/apps/webmail

x_refsource_MISC

https://www.alexbirnberg.com/horde-xss.html

x_refsource_MISC

https://lists.horde.org/archives/announce/2021/001298.html

x_refsource_CONFIRM

[debian-lts-announce] 20210219 [SECURITY] [DLA 2564-1] php-horde-text-filter security update

mailing-list

x_refsource_MLIST

http://packetstormsecurity.com/files/162187/Webmail-Edition-5.2.22-XSS-Remote-Code-Execution.html

x_refsource_MISC

http://packetstormsecurity.com/files/162194/Horde-Groupware-Webmail-5.2.22-Cross-Site-Scripting.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2021-26929 - Security Vulnerability | QwikSec