CVE-2008-1284

Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name.

Published: 2008-03-11 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-1284 is rated Moderate Risk (52.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.67%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2008-1284

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-06 1.46% 1.67% +0.20%
2 2026-02-16 1.31% 1.46% +0.15%
3 2025-05-28 1.31%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-1284

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.0 2.0 MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:S)
A single authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 6.8 6.4 [email protected]

Weakness enumeration for CVE-2008-1284

OS Trackers for CVE-2008-1284

vendor priority summary link
gentoo normal CVE-2008-1284: 1 GLSA(s) (200805-01), 6 atom(s) (www-apps/horde, www-apps/horde-groupware, www-apps/horde-kronolith, www-apps/horde-mnemo, www-apps/horde-nag, www-apps/horde-webmail); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-1284
redhat https://access.redhat.com/security/cve/CVE-2008-1284
ubuntu medium CVE-2008-1284 medium priority: Ubuntu including 1 source packages (horde3), 6 status rows across 6 suites (dapper, edgy, feisty, gutsy, hardy, upstream): released 5, ignored 1. https://ubuntu.com/security/CVE-2008-1284

Affected software / configurations for CVE-2008-1284

Vendor Product Version Raw CPE
horde groupware <= 1.0.4 cpe:2.3:a:horde:groupware:*:*:*:*:*:*:*:*
horde groupware_webmail_edition <= 1.0.5 cpe:2.3:a:horde:groupware_webmail_edition:*:*:*:*:*:*:*:*
horde horde 3.1.6 cpe:2.3:a:horde:horde:3.1.6:*:*:*:*:*:*:*

References for CVE-2008-1284

URL Tags
http://lists.horde.org/archives/announce/2008/000382.html Patch
http://lists.horde.org/archives/announce/2008/000383.html
http://lists.horde.org/archives/announce/2008/000384.html
http://secunia.com/advisories/29286 Vendor Advisory
http://secunia.com/advisories/29374 Vendor Advisory
http://secunia.com/advisories/29400 Vendor Advisory
http://secunia.com/advisories/30047 Vendor Advisory
http://security.gentoo.org/glsa/glsa-200805-01.xml
http://securityreason.com/securityalert/3726
http://www.debian.org/security/2008/dsa-1519
http://www.securityfocus.com/archive/1/489239/100/0/threaded
http://www.securityfocus.com/archive/1/489289/100/0/threaded
http://www.securityfocus.com/bid/28153 Patch
http://www.vupen.com/english/advisories/2008/0822/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41054
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00253.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00301.html
cvelogic Threat Intelligence