vulnerability
Ubuntu: (CVE-2021-26929): php-horde-text-filter vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Feb 14, 2021 | Jun 26, 2025 | Aug 18, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Feb 14, 2021
Added
Jun 26, 2025
Modified
Aug 18, 2025
Description
An XSS issue was discovered in Horde Groupware Webmail Edition through 5.2.22 (where the Horde_Text_Filter library before 2.3.7 is used). The attacker can send a plain text e-mail message, with JavaScript encoded as a link or email that is mishandled by preProcess in Text2html.php, because bespoke use of \x00\x00\x00 and \x01\x01\x01 interferes with XSS defenses.
Solution
no-fix-ubuntu-package
References
- CVE-2021-26929
- https://attackerkb.com/topics/CVE-2021-26929
- CWE-79
- URL-https://github.com/horde/Text_Filter/commit/a2f67da064d7a91440b7a2448e56a6387ab94c67
- URL-https://github.com/horde/Text_Filter/commit/c26f938854c36b981558a3b1b9b2f81403cff60e
- URL-https://github.com/horde/webmail/releases
- URL-https://lists.horde.org/archives/announce/2021/001298.html
- URL-https://www.alexbirnberg.com/horde-xss.html
- URL-https://www.cve.org/CVERecord?id=CVE-2021-26929
- URL-https://www.horde.org/apps/webmail
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.