193960 2007-09-27 09:02 0000 www-apps/egroupware < 1.4.002 "cat_data[color]" Cross-Site Scripting (CVE-2007-5091) 2007-10-11 21:31:48 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/26944/ B4 [noglsa] P2 minor --- 1 py@gentoo.org security@gentoo.org py@gentoo.org 2007-09-27 09:02:01 0000 Enrico Milanese has reported a vulnerability in eGroupWare, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "cat_data[color]" parameter in preferences/inc/class.uicategories.inc.php and admin/inc/class.uicategories.inc.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in version 1.4.001. Other versions may also be affected. Solution: Fixed in the SVN repository. Provided and/or discovered by: Enrico Milanese Original Advisory: http://www.egroupware.org/viewvc?view=rev&revision=24443 py@gentoo.org 2007-09-27 09:04:05 0000 web-apps please advise. rbu@gentoo.org 2007-09-27 21:19:53 0000 This is CVE-2007-5091. wrobel@gentoo.org 2007-09-29 15:19:39 0000 Version 1.4.002 is in the tree and should be marked stable on the following arches: alpha amd64 hppa ppc x86 py@gentoo.org 2007-09-29 15:26:20 0000 (In reply to comment #3) > Version 1.4.002 is in the tree and should be marked stable on the following > arches: > > alpha amd64 hppa ppc x86 > Thanks gunnar. py@gentoo.org 2007-09-29 15:27:22 0000 oops, seems some arches weren't added. jer@gentoo.org 2007-09-29 16:08:45 0000 Er, so that's =www-apps/egroupware-1.4.002 then. jer@gentoo.org 2007-09-29 17:23:51 0000 Stable for HPPA. maekke@gentoo.org 2007-09-30 15:15:17 0000 x86 stable dertobi123@gentoo.org 2007-09-30 19:58:31 0000 ppc stable armin76@gentoo.org 2007-10-01 13:22:16 0000 alpha stable miknix@gentoo.org 2007-10-05 00:52:23 0000 www-apps/egroupware-1.4.002 USE="gd mysql vhosts -jpgraph -ldap -postgres" - Emerges on AMD64. - I didn't have resources to test all the functionality. Although the setup wizard ran well. kingtaco@gentoo.org 2007-10-11 07:20:33 0000 amd64 stable, thanks mixnix py@gentoo.org 2007-10-11 07:26:50 0000 time for glsa decision. I vote NO. wrobel@gentoo.org 2007-10-11 09:13:53 0000 Removed insecure version. webapps done here. aetius@gentoo.org 2007-10-11 21:28:44 0000 XSS, I vote no. py@gentoo.org 2007-10-11 21:31:48 0000 closing without glsa.