Two cross-site scripting (XSS) vulnerabilities were reported in Horde Framework. The first of which is that the Horde framework fails to properly sanitize the filename of MIME attachments on received emails. The second vulnerability has a wider impact. Patches are available. For full information please see attached URL.
Horde-3.1.9 and Horde-3.2.2 are in the tree. Targets for horde-3.1.9: alpha amd64 hppa ppc sparc x86
Sparc stable for www-apps/horde-3.1.9. If you wanted 3.2.2 as well, please add us back.
Both horde-webmail and horde-groupware bundle the horde packages and have been updated to horde-webmail-1.0.8, -1.1.3 and horde-groupware-1.0.7, -1.1.3.
Thanks for bumping. Stable targets is solely =www-apps/horde-3.1.9
Stable for HPPA.
CVE-2008-3823 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3823): Cross-site scripting (XSS) vulnerability in MIME/MIME/Contents.php in the MIME library in Horde 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via the filename of a MIME attachment in an e-mail message. CVE-2008-3824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3824): Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as replacements for spaces in an HTML e-mail message.
alpha/x86 stable
amd64 stable
ppc stable
time for GLSA decision, i vote NO.
NO too, closing.