Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 219304 (CVE-2008-1974) - www-apps/horde-kronolith < 2.1.8 addevent.php cross-site scripting attack (CVE-2008-1974)
Summary: www-apps/horde-kronolith < 2.1.8 addevent.php cross-site scripting attack (CV...
Status: RESOLVED FIXED
Alias: CVE-2008-1974
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/29920/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-04-25 22:42 UTC by Matt Fleming (RETIRED)
Modified: 2008-07-31 08:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2008-04-25 22:42:55 UTC
Aria-Security Team has discovered a vulnerability in Kronolith, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "url" parameter in addevent.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2008-04-25 22:51:32 UTC
Should be grouped with bug #212635 and bug #213493 for glsa.
Comment 2 Matt Fleming (RETIRED) gentoo-dev 2008-04-25 23:24:19 UTC
I'm not sure whether this has been patched upstream yet, so I'm setting the whiteboard appropriately. Based on comments from rbu@ we might not want to group this with the other bugs for a glsa because this bug is xss only.
Comment 3 Matt Fleming (RETIRED) gentoo-dev 2008-04-27 19:08:30 UTC
This issue has been fixed in 2.1.8 of kronolith. A CVE id has been requested. Setting herd and whiteboard.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-04-27 22:04:13 UTC
cc'ing vapier as primary maintainer. Do you know whether other horde packages carry a kronolith copy?
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-29 11:32:12 UTC
CVE-2008-1974
Comment 6 SpanKY gentoo-dev 2008-05-04 10:57:46 UTC
the only packages that would bundle any horde sub-packages would be horde-webmail or horde-groupware
Comment 7 Gunnar Wrobel (RETIRED) gentoo-dev 2008-06-24 11:22:29 UTC
horde-kronolith-2.1.8 is in the tree.

Target archs:

  alpha amd64 hppa ppc sparc x86

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-06-24 21:51:24 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-06-26 11:09:49 UTC
alpha/sparc stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2008-06-26 20:37:59 UTC
ppc stable
Comment 11 Jeroen Roovers gentoo-dev 2008-06-28 15:27:38 UTC
Stable for HPPA.
Comment 12 Markus Meier gentoo-dev 2008-07-06 19:22:12 UTC
amd64 stable, sorry for the delay.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 00:38:53 UTC
GLSA vote: NO
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-31 08:45:36 UTC
NO too, closing.