CVE-2010-3314 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3314): Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to inject arbitrary web script or HTML via the lang parameter. Please punt the ancient 1.4.004 and provide an ebuild for the newest version which is already 1.8.001.
CVE-2010-3313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3313): phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
None of those ebuilds are in the tree anymore (and have been for a while). Imho you can close this bug.
Stabilization is being performed in bug 434040.
It looks like this was never re-rated after the addition of CVE-2010-3313. Filing a new GLSA request for this and bug 284536.
This version is obsolete and no longer maintained by upstream.
This issue was resolved and addressed in GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml by GLSA coordinator Sean Amoss (ackle).
