CVE-2009-4363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4363): Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."
webapps: I have taken over the split horde ebuilds, but I have no interest in the groupware and webmail packages. Can we schedule them for treecleaning?
# Alex Legler <a3li@gentoo.org> (28 Nov 2010) # Not maintained, multiple security issues. # Use the split horde ebuilds instaed. Can we just remove the ebuilds?
CVE-2010-4778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4778): Multiple cross-site scripting (XSS) vulnerabilities in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka fmusername), (2) password (aka fmpassword), or (3) server (aka fmserver) field in a fetchmail_prefs_save action, related to the Fetchmail configuration, a different issue than CVE-2010-3695. NOTE: some of these details are obtained from third party information. CVE-2010-3695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3695): Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration. CVE-2010-3693 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3693): Cross-site scripting (XSS) vulnerability in Horde Dynamic IMP (DIMP) before 1.1.5, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via vectors related to displaying mailbox names. CVE-2010-3077 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3077): Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter.
Packages were never stable and are now gone. Closing noglsa.