Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 90365 - www-apps/horde-*: Cross-Site Scripting Vulnerability
Summary: www-apps/horde-*: Cross-Site Scripting Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa] jaervosz
Keywords:
: 90364 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-04-25 06:48 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-05-01 09:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 06:48:27 UTC
Description:
A vulnerability has been reported in ***, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to a parent frame's page title is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Comment 1 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 06:49:28 UTC
*** Bug 90364 has been marked as a duplicate of this bug. ***
Comment 2 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 06:52:14 UTC
Update to version 1.2.3.
http://www.horde.org/chora/download/

Update to version 2.2.2.
http://www.horde.org/forwards/download/

Update to version 2.1.2.
http://www.horde.org/accounts/download/

Update to version 1.1.3.
http://www.horde.org/nag/download/

Update to version 1.1.4.
http://www.horde.org/mnemo/download/

Update to version 2.2.2.
http://www.horde.org/vacation/download/
Comment 3 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 08:19:19 UTC
Secunia just released new advisories... horde-{imp|turba|passwd|} are also vulnerable
Comment 4 Jean-François Brunette (RETIRED) gentoo-dev 2005-04-25 08:22:01 UTC
Let's say horde-* 
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-25 12:28:04 UTC
vapier please advise.
Comment 6 SpanKY gentoo-dev 2005-04-25 19:59:50 UTC
all versions are bumped and in portage now, keyworded and all that jazz
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-04-26 07:42:23 UTC
Ready for GLSA vote apparently
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-04-28 09:39:46 UTC
I vote NO
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-28 12:52:37 UTC
We used to issue GLSAs for XSS issues in Squirrelmail, I see no reason to do otherwise with horde-*(imp) -> voting YES.

http://marc.theaimsgroup.com/?l=horde-announce&r=1&b=200504&w=2

Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-04-29 11:22:51 UTC
Reversing vote, after all there are plenty :)
Comment 11 Luke Macken (RETIRED) gentoo-dev 2005-05-01 09:11:26 UTC
GLSA 200505-01