CVE Vulnerabilities

CVE-2017-15235

Direct Request ('Forced Browsing')

Published: Oct 11, 2017 | Modified: Nov 21, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.

Weakness 

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software 

Name Vendor Start Version End Version
Groupware Horde 5.2.21 (including) 5.2.21 (including)

Potential Mitigations 

References