Comment 1 Matthias Geerdsen (RETIRED) 2008-06-20 12:09:55 UTC

I did not check if 2.1.7 is affected too, thus leaving the ranking at ?4
Could someone please check that and see if a fix is available in case it is affected as well.

Comment 2 Gunnar Wrobel (RETIRED) 2008-06-24 11:13:01 UTC

Added horde-turba-2.2.1, removed vulnerable horde-turba-2.2 as it was unstable on all arches. webapps-done.

BTW, is there a plan to stabilize horde-* to the newer versions ?

Comment 4 Alex Legler (RETIRED) 2009-08-14 12:30:21 UTC

CVE-2008-6746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6746):
  Cross-site scripting (XSS) vulnerability in the contact display view
  in Turba Contact Manager H3 before 2.2.1 allows remote attackers to
  inject arbitrary web script or HTML via the contact name.

Comment 5 Alex Legler (RETIRED) 2009-08-14 12:31:33 UTC

(In reply to comment #1)
> I did not check if 2.1.7 is affected too, thus leaving the ranking at ?4
> Could someone please check that and see if a fix is available in case it is
> affected as well.
> 

It is not. The vulnerable code is in contact.php which is not there in 2.1.7.