CVE-2008-0807

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2008-0807
lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book.

4.9 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:N

Exploitability : 6.8 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058
http://lists.horde.org/archives/announce/2008/000378.html Patch
http://lists.horde.org/archives/announce/2008/000379.html Patch
http://lists.horde.org/archives/announce/2008/000380.html Patch
http://lists.horde.org/archives/announce/2008/000381.html Patch
http://secunia.com/advisories/28982 Vendor Advisory
http://secunia.com/advisories/29071
http://secunia.com/advisories/29184
http://secunia.com/advisories/29185
http://secunia.com/advisories/29186
http://www.debian.org/security/2008/dsa-1507
http://www.securityfocus.com/bid/27844 Patch
http://www.securitytracker.com/id?1019433
http://www.vupen.com/english/advisories/2008/0593/references
https://bugzilla.redhat.com/show_bug.cgi?id=432027
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00888.html
https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00927.html
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:alpha:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:amd64:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:arm:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:hppa:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:ia-32:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:ia-64:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:m68k:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:mips:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:mipsel:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:powerpc:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:s-390:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:sparc:*:*:*:*:*
OR cpe:2.3:a:horde:groupware:1.0.3:*:*:*:*:*:*:*
cpe:2.3:a:horde:groupware_webmail_edition:1.0.4:*:*:*:*:*:*:*
cpe:2.3:a:horde:turba_contact_manager:2.1.6:*:*:*:*:*:*:*
History

No history.

Information

Published : 2008-02-19 01:00

Updated : 2023-12-10 10:40

NVD link : CVE-2008-0807

Mitre link : CVE-2008-0807

CVE.ORG link : CVE-2008-0807

JSON object : View

Products Affected

horde

  • turba_contact_manager
  • groupware_webmail_edition
  • groupware

debian

  • debian_linux
CWE
CWE-264

Permissions, Privileges, and Access Controls