CVE-2020-8035

NameCVE-2020-8035
DescriptionThe image view functionality in Horde Groupware Webmail Edition before 5.2.22 is affected by a stored Cross-Site Scripting (XSS) vulnerability via an SVG image upload containing a JavaScript payload. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2230-1
Debian Bugs963809

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php-horde (PTS)jessie, jessie (lts)5.2.1+debian0-2+deb8u6fixed
stretch (security), stretch (lts), stretch5.2.13+debian0-1+deb9u3fixed
buster5.2.20+debian0-1+deb10u2fixed
bullseye5.2.23+debian0-5fixed
sid, bookworm5.2.23+debian0-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php-hordesourcejessie5.2.1+debian0-2+deb8u6DLA-2230-1
php-hordesourcestretch5.2.13+debian0-1+deb9u2
php-hordesourcebuster5.2.20+debian0-1+deb10u2
php-hordesource(unstable)5.2.23+debian0-1963809

Notes

https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf
https://lists.horde.org/archives/announce/2020/001290.html
Search for package or bug name: Reporting problems