Candidate: CVE-2017-16908
PublicDate: 2017-11-20 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16908
 http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
 https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716
Description:
 In Horde Groupware 5.2.19, there is XSS via the Name field during creation
 of a new Resource. This can be leveraged for remote code execution after
 compromising an administrator account, because the CVE-2015-7984 CSRF
 protection mechanism can then be bypassed.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N [5.4 MEDIUM]


Patches_php-horde-kronolith:
upstream_php-horde-kronolith: released (4.2.24-1)
precise/esm_php-horde-kronolith: DNE
trusty_php-horde-kronolith: ignored (reached end-of-life)
trusty/esm_php-horde-kronolith: DNE (trusty was needs-triage)
xenial_php-horde-kronolith: not-affected (code not present)
zesty_php-horde-kronolith: ignored (reached end-of-life)
artful_php-horde-kronolith: ignored (reached end-of-life)
bionic_php-horde-kronolith: needed
cosmic_php-horde-kronolith: ignored (reached end-of-life)
disco_php-horde-kronolith: ignored (reached end-of-life)
eoan_php-horde-kronolith: ignored (reached end-of-life)
focal_php-horde-kronolith: DNE
groovy_php-horde-kronolith: DNE
hirsute_php-horde-kronolith: DNE
impish_php-horde-kronolith: DNE
jammy_php-horde-kronolith: DNE
devel_php-horde-kronolith: DNE