CVE Vulnerabilities

CVE-2017-15235

Direct Request ('Forced Browsing')

Published: Oct 11, 2017 | Modified: Aug 29, 2020
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.

Weakness

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Affected Software

Name Vendor Start Version End Version
Groupware Horde 5.2.21 5.2.21

Potential Mitigations

References