NVD Vulnerability Detail

CVE-2020-8034

Summary	Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.22 and other products, is affected by a reflected Cross-Site Scripting (XSS) vulnerability via the HTTP GET dir parameter in the browser functionality, affecting breadcrumb output. An attacker can obtain access to a victim's webmail account by making them visit a malicious URL.
Publication Date	May 19, 2020, 2:15 a.m.
Registration Date	Jan. 26, 2021, 12:01 p.m.
Last Update	Nov. 21, 2024, 2:38 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:horde:groupware:5.2.22::::webmail:::
cpe:2.3:a:horde:gollem::::::::				3.0.13

Related information, measures and tools

No	URL	タグ
1	https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES	Release Notes Third Party Advisory
2	https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES	Release Notes Third Party Advisory
3	https://github.com/horde/gollem/commits/master	Patch Third Party Advisory
4	https://github.com/horde/gollem/commits/master	Patch Third Party Advisory
5	https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html
6	https://lists.debian.org/debian-lts-announce/2020/05/msg00033.html
7	https://lists.horde.org/archives/announce/2020/001289.html	Mailing List Vendor Advisory
8	https://lists.horde.org/archives/announce/2020/001289.html	Mailing List Vendor Advisory
9	https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html	Mailing List Vendor Advisory
10	https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html	Mailing List Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Gollem におけるクロスサイトスクリプティングの脆弱性

Title	Gollem におけるクロスサイトスクリプティングの脆弱性
Summary	Gollem には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 20, 2020, midnight
Registration Date	June 16, 2020, 6:17 p.m.
Last Update	June 16, 2020, 6:17 p.m.

Affected System

Horde

gollem 3.0.13 未満

Horde Groupware

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-8034	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8034
National Vulnerability Database (NVD)
2	CVE-2020-8034	https://nvd.nist.gov/vuln/detail/CVE-2020-8034

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	gollem/docs/CHANGES	https://github.com/horde/gollem/blob/95b2a4212d734f1b27aaa7a221d2fa1370d2631f/docs/CHANGES
2	horde/gollem	https://github.com/horde/gollem/commits/master
Horde
3	[announce] [SECURITY] Gollem H5 (3.0.13) (final)	https://lists.horde.org/archives/announce/2020/001289.html
4	[gollem] [SECURITY] Gollem H5 (3.0.13) (final)	https://lists.horde.org/archives/gollem/Week-of-Mon-20200420/001990.html

Change Log

No	Changed Details	Date of change
1	[2020年06月16日] 掲載	June 16, 2020, 6:17 p.m.