Debian DSA-1033-1 : horde3 - several vulnerabilities

high Nessus Plugin ID 22575


The remote Debian host is missing a security-related update.


Several remote vulnerabilities have been discovered in the Horde web application framework, which may lead to the execution of arbitrary web script code. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2005-4190 Several Cross-Site-Scripting vulnerabilities have been discovered in the 'share edit window'.

- CVE-2006-1260 Null characters in the URL parameter bypass a sanity check, which allowed remote attackers to read arbitrary files, which allowed information disclosure.

- CVE-2006-1491 User input in the help viewer was passed unsanitised to the eval() function, which allowed injection of arbitrary web code.


Upgrade the horde3 package.

The old stable distribution (woody) doesn't contain horde3 packages.

For the stable distribution (sarge) these problems have been fixed in version 3.0.4-4sarge3.

See Also

Plugin Details

Severity: High

ID: 22575

File Name: debian_DSA-1033.nasl

Version: 1.18

Type: local

Agent: unix

Published: 10/14/2006

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent

Risk Information


Risk Factor: High

Score: 7.0


Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:horde3, cpe:/o:debian:debian_linux:3.1

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/12/2006

Vulnerability Publication Date: 12/11/2005

Exploitable With


Reference Information

CVE: CVE-2005-4190, CVE-2006-1260, CVE-2006-1491

DSA: 1033