Aria-Security Team has discovered a vulnerability in Kronolith, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "url" parameter in addevent.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Should be grouped with bug #212635 and bug #213493 for glsa.
I'm not sure whether this has been patched upstream yet, so I'm setting the whiteboard appropriately. Based on comments from rbu@ we might not want to group this with the other bugs for a glsa because this bug is xss only.
This issue has been fixed in 2.1.8 of kronolith. A CVE id has been requested. Setting herd and whiteboard.
cc'ing vapier as primary maintainer. Do you know whether other horde packages carry a kronolith copy?
the only packages that would bundle any horde sub-packages would be horde-webmail or horde-groupware
horde-kronolith-2.1.8 is in the tree.
alpha amd64 hppa ppc sparc x86
Stable for HPPA.
amd64 stable, sorry for the delay.
GLSA vote: NO
NO too, closing.