{"id":"CVE-2017-16906","details":"In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a \"Calendar -\u003e New Event\" action.","modified":"2026-04-10T03:57:59.195974Z","published":"2017-11-20T20:29:00.340Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00049.html"},{"type":"REPORT","url":"http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html"},{"type":"FIX","url":"https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d"},{"type":"EVIDENCE","url":"https://github.com/starnightcyber/Miscellaneous/blob/master/Horde/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/horde/horde","events":[{"introduced":"801083b02b92b8ba6710471253ecf4b36943c80d"},{"last_affected":"da4d701808c3af4100bd1f2d7f0fd07854267fa9"}],"database_specific":{"versions":[{"introduced":"5.2.19"},{"last_affected":"5.2.22"}]}},{"type":"GIT","repo":"https://github.com/horde/kronolith","events":[{"introduced":"0"},{"fixed":"09d90141292f9ec516a7a2007bf828ce2bbdf60d"}]}],"versions":["ansel-3.0.7","ansel-3.0.8","content-2.0.6","gollem-3.0.11","gollem-3.0.12","groupware-5.2.20","groupware-5.2.21","groupware-5.2.22","horde-5.2.15","horde-5.2.16","horde-5.2.17","imp-6.2.19","imp-6.2.20","imp-6.2.21","ingo-3.2.15","ingo-3.2.16","kronolith-4.2.21","kronolith-4.2.22","kronolith-4.2.23","mnemo-4.2.14","nag-4.2.15","nag-4.2.16","nag-4.2.17","passwd-5.0.7","timeobjects-2.1.4","trean-1.1.8","trean-1.1.9","turba-4.2.20","turba-4.2.21","v3.0.0","v3.0.0alpha1","v3.0.0beta1","v3.0.0rc1","v3.0.0rc2","v3.0.1","v4.0.0","v4.0.0beta1","v4.0.0beta2","v4.0.0rc1","v4.0.1","v4.0.2","v4.0.3","v4.0.4","v4.1.0","v4.1.0beta1","v4.1.0beta2","v4.1.0rc1","v4.1.1","v4.1.2","v4.1.3","v4.1.4","v4.2.0","v4.2.0alpha1","v4.2.0alpha2","v4.2.0beta1","v4.2.0beta2","v4.2.0rc1","v4.2.0rc2","v4.2.1","v4.2.10","v4.2.11","v4.2.12","v4.2.13","v4.2.14","v4.2.15","v4.2.16","v4.2.17","v4.2.18","v4.2.19","v4.2.2","v4.2.20","v4.2.21","v4.2.22","v4.2.23","v4.2.24","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9","webmail-5.2.19","webmail-5.2.20","webmail-5.2.21","webmail-5.2.22","whups-3.0.10","whups-3.0.11","whups-3.0.12","wicked-2.0.8","wicked-2.0.8rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16906.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}