CVE-2009-3236
Published: 17 September 2009
The form library in Horde Application Framework 3.2 before 3.2.5 and 3.3 before 3.3.5; Groupware 1.1 before 1.1.6 and 1.2 before 1.2.4; and Groupware Webmail Edition 1.1 before 1.1.6 and 1.2 before 1.2.4; reuses temporary filenames during the upload process which allows remote attackers, with privileges to write to the address book, to overwrite arbitrary files and execute PHP code via crafted Horde_Form_Type_image form field elements.
Priority
Status
Package | Release | Status |
---|---|---|
horde3 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Ignored
(end of life, was needed)
|
|
jaunty |
Released
(3.2.2+debian0-2+lenny1build0.9.04.1)
|
|
karmic |
Not vulnerable
(3.3.4+debian0-1)
|
|
lucid |
Not vulnerable
(3.3.4+debian0-1)
|
|
maverick |
Not vulnerable
(3.3.4+debian0-1)
|
|
natty |
Not vulnerable
(3.3.4+debian0-1)
|
|
oneiric |
Not vulnerable
(3.3.4+debian0-1)
|
|
upstream |
Released
(3.2.2+debian0-2+lenny1)
|