Bug 228505 (CVE-2008-6746)

Summary:	<www-apps/horde-turba-2.2.1 XSS vulnerability in contact view (CVE-2008-6746)
Product:	Gentoo Security	Reporter:	Matthias Geerdsen (RETIRED) <vorlon>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	asl
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://lists.horde.org/archives/announce/2008/000414.html
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description Matthias Geerdsen (RETIRED) gentoo-dev

2008-06-20 11:20:49 UTC

from the 2.2.1 announcement:
"This is a bugfix release that also fixes an XSS (cross site scripting)
vulnerability in the contact view."

http://secunia.com/advisories/30704/

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2008-06-20 12:09:55 UTC

I did not check if 2.1.7 is affected too, thus leaving the ranking at ?4
Could someone please check that and see if a fix is available in case it is affected as well.

Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev

2008-06-24 11:13:01 UTC

Added horde-turba-2.2.1, removed vulnerable horde-turba-2.2 as it was unstable on all arches. webapps-done.

Comment 3 Arnaud Launay 2008-12-10 20:20:16 UTC

BTW, is there a plan to stabilize horde-* to the newer versions ?

Comment 4 Alex Legler (RETIRED) archtester

2009-08-14 12:30:21 UTC

CVE-2008-6746 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6746):
  Cross-site scripting (XSS) vulnerability in the contact display view
  in Turba Contact Manager H3 before 2.2.1 allows remote attackers to
  inject arbitrary web script or HTML via the contact name.

Comment 5 Alex Legler (RETIRED) archtester

2009-08-14 12:31:33 UTC

(In reply to comment #1)
> I did not check if 2.1.7 is affected too, thus leaving the ranking at ?4
> Could someone please check that and see if a fix is available in case it is
> affected as well.
> 

It is not. The vulnerable code is in contact.php which is not there in 2.1.7.