CVE-2008-0807

lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.

CVSS v2.0 4.9 MEDIUM

4.9^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
http://lists.horde.org/archives/announce/2008/000378.html	Patch
http://lists.horde.org/archives/announce/2008/000379.html	Patch
http://lists.horde.org/archives/announce/2008/000380.html	Patch
http://lists.horde.org/archives/announce/2008/000381.html	Patch
http://secunia.com/advisories/28982	Vendor Advisory
http://secunia.com/advisories/29071
http://secunia.com/advisories/29184
http://secunia.com/advisories/29185
http://secunia.com/advisories/29186
http://www.debian.org/security/2008/dsa-1507
http://www.securityfocus.com/bid/27844	Patch
http://www.securitytracker.com/id?1019433
http://www.vupen.com/english/advisories/2008/0593/references
https://bugzilla.redhat.com/show_bug.cgi?id=432027
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
http://lists.horde.org/archives/announce/2008/000378.html	Patch
http://lists.horde.org/archives/announce/2008/000379.html	Patch
http://lists.horde.org/archives/announce/2008/000380.html	Patch
http://lists.horde.org/archives/announce/2008/000381.html	Patch
http://secunia.com/advisories/28982	Vendor Advisory
http://secunia.com/advisories/29071
http://secunia.com/advisories/29184
http://secunia.com/advisories/29185
http://secunia.com/advisories/29186
http://www.debian.org/security/2008/dsa-1507
http://www.securityfocus.com/bid/27844	Patch
http://www.securitytracker.com/id?1019433
http://www.vupen.com/english/advisories/2008/0593/references
https://bugzilla.redhat.com/show_bug.cgi?id=432027
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:debian:debian_linux:4.0:::::::*
	cpe:2.3:o:debian:debian_linux:4.0::alpha:::::
	cpe:2.3:o:debian:debian_linux:4.0::amd64:::::
	cpe:2.3:o:debian:debian_linux:4.0::arm:::::
	cpe:2.3:o:debian:debian_linux:4.0::hppa:::::
	cpe:2.3:o:debian:debian_linux:4.0::ia-32:::::
	cpe:2.3:o:debian:debian_linux:4.0::ia-64:::::
	cpe:2.3:o:debian:debian_linux:4.0::m68k:::::
	cpe:2.3:o:debian:debian_linux:4.0::mips:::::
	cpe:2.3:o:debian:debian_linux:4.0::mipsel:::::
	cpe:2.3:o:debian:debian_linux:4.0::powerpc:::::
	cpe:2.3:o:debian:debian_linux:4.0::s-390:::::
	cpe:2.3:o:debian:debian_linux:4.0::sparc:::::

OR	cpe:2.3:a:horde:groupware:1.0.3:::::::*
	cpe:2.3:a:horde:groupware_webmail_edition:1.0.4:::::::*
	cpe:2.3:a:horde:turba_contact_manager:2.1.6:::::::*

History

21 Nov 2024, 00:42

Information

Published : 2008-02-19 01:00

Updated : 2024-11-21 00:42

NVD link : CVE-2008-0807

Mitre link : CVE-2008-0807

CVE.ORG link : CVE-2008-0807

JSON object : View

Products Affected

horde

turba_contact_manager
groupware_webmail_edition
groupware

debian

debian_linux

CWE

CWE-264

Permissions, Privileges, and Access Controls

4.9 /10