CVE-2010-3695

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration.

• CWE-79

• http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.htmlExploit
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584Exploit, Patch
• http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h
• http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde&r1=1.35.2.11&r2=1.35.2.13&ty=h
• http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11Patch
• http://lists.horde.org/archives/announce/2010/000558.htmlPatch
• http://lists.horde.org/archives/announce/2010/000568.html
• http://openwall.com/lists/oss-security/2010/09/30/7Exploit, Patch
• http://openwall.com/lists/oss-security/2010/09/30/8Exploit, Patch
• http://openwall.com/lists/oss-security/2010/10/01/6Patch
• http://secunia.com/advisories/41627Vendor Advisory
• http://secunia.com/advisories/43896Vendor Advisory
• http://securityreason.com/securityalert/8170
• http://www.debian.org/security/2011/dsa-2204
• http://www.securityfocus.com/archive/1/513992/100/0/threaded
• http://www.securityfocus.com/bid/43515Exploit
• http://www.vupen.com/english/advisories/2010/2513Vendor Advisory
• http://www.vupen.com/english/advisories/2011/0769Vendor Advisory
• https://bugzilla.redhat.com/show_bug.cgi?id=641069Exploit, Patch
• http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.htmlExploit
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584Exploit, Patch
• http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h
• http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde&r1=1.35.2.11&r2=1.35.2.13&ty=h
• http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11Patch
• http://lists.horde.org/archives/announce/2010/000558.htmlPatch
• http://lists.horde.org/archives/announce/2010/000568.html
• http://openwall.com/lists/oss-security/2010/09/30/7Exploit, Patch
• http://openwall.com/lists/oss-security/2010/09/30/8Exploit, Patch
• http://openwall.com/lists/oss-security/2010/10/01/6Patch
• http://secunia.com/advisories/41627Vendor Advisory
• http://secunia.com/advisories/43896Vendor Advisory
• http://securityreason.com/securityalert/8170
• http://www.debian.org/security/2011/dsa-2204
• http://www.securityfocus.com/archive/1/513992/100/0/threaded
• http://www.securityfocus.com/bid/43515Exploit
• http://www.vupen.com/english/advisories/2010/2513Vendor Advisory
• http://www.vupen.com/english/advisories/2011/0769Vendor Advisory
• https://bugzilla.redhat.com/show_bug.cgi?id=641069Exploit, Patch

Published

Mar 31, 2011

Last Modified

Jun 16, 2026

Status

Modified