87134 – www-apps/horde: Page Title Cross-Site Scripting Vulnerability

Bug 87134 - www-apps/horde: Page Title Cross-Site Scripting Vulnerability

Summary: www-apps/horde: Page Title Cross-Site Scripting Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/14730/
Whiteboard:	~4 [noglsa] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2005-03-29 09:37 UTC by Jean-François Brunette (RETIRED)
Modified:	2005-03-29 21:27 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jean-François Brunette (RETIRED) gentoo-dev

2005-03-29 09:37:23 UTC

Description:
A vulnerability has been reported in Horde, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed when setting the parent frame's page title via JavaScript is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability has been reported in version 3.0.4-RC2. Prior versions may also be affected.

Solution:
Update to version 3.0.4.
http://ftp.horde.org/pub/horde/horde-latest.tar.gz

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-29 10:05:30 UTC

Vapier/web-apps please bump.

Comment 2 SpanKY gentoo-dev

2005-03-29 15:31:07 UTC

3.0.4 is in cvs

again, no arch has had horde-3 in stable

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-29 21:27:48 UTC

Thx Vapier and rainbsoft. Closing as it does not affect any stable packages.