Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 297306

Summary: <www-apps/horde-3.3.6 XSS (CVE-2009-3701)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/37709/
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-17 17:33:26 UTC 
From Secunia ($URL):
A vulnerability has been reported in Horde Application Framework, which can be exploited by malicious people to conduct cross-site scripting attacks.

Certain unspecified input passed to the administration interface is not properly sanitised before being returned. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Update to version 3.3.6 or apply patch.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-17 17:38:01 UTC 
Arches, please test and mark stable:
=www-apps/horde-3.3.6
Target keywords : "alpha amd64 hppa ppc sparc x86"
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-17 21:00:50 UTC 
x86 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-19 16:36:40 UTC 
Stable for HPPA.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-12-21 09:59:02 UTC 
amd64 done.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2009-12-21 14:34:57 UTC 
alpha/sparc stable
Comment 6 nixnut (RETIRED) gentoo-dev 2009-12-28 18:54:01 UTC 
ppc stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-02-06 15:41:17 UTC 
CVE-2009-3701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3701):
  Multiple cross-site scripting (XSS) vulnerabilities in the
  administration interface in Horde Application Framework before 3.3.6,
  Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition
  before 1.2.5 allow remote attackers to inject arbitrary web script or
  HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3)
  sqlshell.php in admin/, related to the PHP_SELF variable.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-11 20:39:22 UTC 
XSS → noglsa