[pkg-horde] Bug#512609: [SA33521] Horde Products Cross-Site Scripting Vulnerability

Giuseppe Iuculano giuseppe at iuculano.it
Thu Jan 22 07:58:09 UTC 2009 

Package: horde3
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The following SA (Secunia Advisory) id was published for Horde Products:

SA33521[1]

> DESCRIPTION:
> A vulnerability has been reported in various Horde products, which
> can potentially be exploited to conduct cross-site scripting
> attacks.
> 
> Unspecified input is not properly sanitised before being returned to
> the user. This can be exploited to execute arbitrary HTML and script
> code in a user's browser session in the context of an affected site.
> 
> Successful exploitation requires that the victim uses Microsoft
> Internet Explorer.
> 
> The vulnerability is reported in the following products and
> versions:
> * Horde Groupware Webmail Edition version 1.1.3
> * Horde Groupware Webmail Edition version 1.2
> * Horde Groupware version 1.1.3
> * Horde Groupware version 1.2
> * Horde version H3 (3.3)
> * Horde version H3 (3.2.2)
> 
> SOLUTION:
> Update to the latest versions.
> 
> Horde Groupware Webmail Edition:
> Update to version 1.1.4 or 1.2.1.
> 
> Horde Groupware:
> Update to version 1.1.4 or 1.2.1.
> 
> Horde H3:
> Update to version 3.3.1 or 3.2.3.
> 
> PROVIDED AND/OR DISCOVERED BY:
> Reported by the vendor.
> 
> ORIGINAL ADVISORY:
> Horde:
> http://lists.horde.org/archives/announce/2008/000462.html
> http://lists.horde.org/archives/announce/2008/000464.html
> http://lists.horde.org/archives/announce/2008/000466.html
> http://lists.horde.org/archives/announce/2008/000467.html
> http://lists.horde.org/archives/announce/2008/000471.html
> http://lists.horde.org/archives/announce/2008/000472.html


If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.

[1]http://secunia.com/advisories/33521/

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkl4Jw8ACgkQNxpp46476arrOACfYTndANKV+d2LHoyJtvBCEg3Q
DaQAnjMsDG7fAzeeIvx78BaYdO9c+7CU
=vF5g
-----END PGP SIGNATURE-----

More information about the pkg-horde-hackers mailing list