Description: A vulnerability has been reported in ***, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to a parent frame's page title is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
*** Bug 90364 has been marked as a duplicate of this bug. ***
Update to version 1.2.3. http://www.horde.org/chora/download/ Update to version 2.2.2. http://www.horde.org/forwards/download/ Update to version 2.1.2. http://www.horde.org/accounts/download/ Update to version 1.1.3. http://www.horde.org/nag/download/ Update to version 1.1.4. http://www.horde.org/mnemo/download/ Update to version 2.2.2. http://www.horde.org/vacation/download/
Secunia just released new advisories... horde-{imp|turba|passwd|} are also vulnerable
Let's say horde-*
vapier please advise.
all versions are bumped and in portage now, keyworded and all that jazz
Ready for GLSA vote apparently
I vote NO
We used to issue GLSAs for XSS issues in Squirrelmail, I see no reason to do otherwise with horde-*(imp) -> voting YES. http://marc.theaimsgroup.com/?l=horde-announce&r=1&b=200504&w=2
Reversing vote, after all there are plenty :)
GLSA 200505-01