Two cross-site scripting (XSS) vulnerabilities were reported in Horde
Framework. The first of which is that the Horde framework fails to properly
sanitize the filename of MIME attachments on received emails. The second
vulnerability has a wider impact.
Patches are available. For full information please see attached URL.
Horde-3.1.9 and Horde-3.2.2 are in the tree.
Targets for horde-3.1.9:
alpha amd64 hppa ppc sparc x86
Sparc stable for www-apps/horde-3.1.9. If you wanted 3.2.2 as well, please add us back.
Both horde-webmail and horde-groupware bundle the horde packages and have been updated to horde-webmail-1.0.8, -1.1.3 and horde-groupware-1.0.7, -1.1.3.
Thanks for bumping. Stable targets is solely
Stable for HPPA.
Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in
the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers
to inject arbitrary web script or HTML via the filename of a MIME
attachment in an e-mail message.
Cross-site scripting (XSS) vulnerability in (1)
Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x
before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier
allows remote attackers to inject arbitrary web script or HTML by
using / (slash) characters as replacements for spaces in an HTML
time for GLSA decision, i vote NO.
NO too, closing.