Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 90365

Summary: www-apps/horde-*: Cross-Site Scripting Vulnerability
Product: Gentoo Security Reporter: Jean-François Brunette (RETIRED) <formula7>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B4 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 06:48:27 UTC 
Description:
A vulnerability has been reported in ***, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to a parent frame's page title is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 06:49:28 UTC 
*** Bug 90364 has been marked as a duplicate of this bug. ***
Comment 2 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 06:52:14 UTC 
Update to version 1.2.3.
http://www.horde.org/chora/download/

Update to version 2.2.2.
http://www.horde.org/forwards/download/

Update to version 2.1.2.
http://www.horde.org/accounts/download/

Update to version 1.1.3.
http://www.horde.org/nag/download/

Update to version 1.1.4.
http://www.horde.org/mnemo/download/

Update to version 2.2.2.
http://www.horde.org/vacation/download/
Comment 3 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 08:19:19 UTC 
Secunia just released new advisories... horde-{imp|turba|passwd|} are also vulnerable
Comment 4 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 08:22:01 UTC 
Let's say horde-*
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-25 12:28:04 UTC 
vapier please advise.
Comment 6 SpanKY gentoo-dev 2005-04-25 19:59:50 UTC 
all versions are bumped and in portage now, keyworded and all that jazz
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-04-26 07:42:23 UTC 
Ready for GLSA vote apparently
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-04-28 09:39:46 UTC 
I vote NO
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-28 12:52:37 UTC 
We used to issue GLSAs for XSS issues in Squirrelmail, I see no reason to do otherwise with horde-*(imp) -> voting YES.

http://marc.theaimsgroup.com/?l=horde-announce&r=1&b=200504&w=2
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-04-29 11:22:51 UTC 
Reversing vote, after all there are plenty :)
Comment 11 Luke Macken (RETIRED) gentoo-dev 2005-05-01 09:11:26 UTC 
GLSA 200505-01