Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308027 (CVE-2009-4363)

Summary: www-apps/horde-{groupware,webmail}: multiple vulnerabilites (CVE-2009-4363,CVE-2010-{3077,3693,3695,4778})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&ty=h
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:57:15 UTC
CVE-2009-4363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4363):
  Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application
  Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde
  Groupware Webmail Edition before 1.2.5 does not properly handle data:
  URIs, which allows remote attackers to conduct cross-site scripting
  (XSS) attacks via data:text/html values for the HREF attribute of an
  A element in an HTML e-mail message.  NOTE: the vendor states that
  the issue is caused by "an XSS vulnerability in Firefox browsers."
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-17 18:41:07 UTC
webapps: I have taken over the split horde ebuilds, but I have no interest in the groupware and webmail packages. Can we schedule them for treecleaning?
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-19 10:54:49 UTC
# Alex Legler <a3li@gentoo.org> (28 Nov 2010)
# Not maintained, multiple security issues.
# Use the split horde ebuilds instaed.

Can we just remove the ebuilds?
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 12:34:57 UTC
CVE-2010-4778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4778):
  Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in
  Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7,
  allow remote attackers to inject arbitrary web script or HTML via the (1)
  username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka
  fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail
  configuration, a different issue than CVE-2010-3695.  NOTE: some of these
  details are obtained from third party information.

CVE-2010-3695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3695):
  Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP
  before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows
  remote attackers to inject arbitrary web script or HTML via the fm_id
  parameter in a fetchmail_prefs_save action, related to the Fetchmail
  configuration.

CVE-2010-3693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3693):
  Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before
  1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote
  attackers to inject arbitrary web script or HTML via vectors related to
  displaying mailbox names.

CVE-2010-3077 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3077):
  Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the
  Horde Application Framework before 3.3.9 allows remote attackers to inject
  arbitrary web script or HTML via the subdir parameter.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-05-03 18:29:28 UTC
Packages were never stable and are now gone. Closing noglsa.