Summary: | www-apps/horde-{groupware,webmail}: multiple vulnerabilites (CVE-2009-4363,CVE-2010-{3077,3693,3695,4778}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&ty=h | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-03-06 14:57:15 UTC
webapps: I have taken over the split horde ebuilds, but I have no interest in the groupware and webmail packages. Can we schedule them for treecleaning? # Alex Legler <a3li@gentoo.org> (28 Nov 2010) # Not maintained, multiple security issues. # Use the split horde ebuilds instaed. Can we just remove the ebuilds? CVE-2010-4778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4778): Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information. CVE-2010-3695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3695): Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration. CVE-2010-3693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3693): Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names. CVE-2010-3077 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3077): Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter. Packages were never stable and are now gone. Closing noglsa. |