Giuseppe Iuculano
2009-Jan-22 07:58 UTC
[Secure-testing-team] Bug#512609: [SA33521] Horde Products Cross-Site Scripting Vulnerability
Package: horde3 Severity: important Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, The following SA (Secunia Advisory) id was published for Horde Products: SA33521[1]> DESCRIPTION: > A vulnerability has been reported in various Horde products, which > can potentially be exploited to conduct cross-site scripting > attacks. > > Unspecified input is not properly sanitised before being returned to > the user. This can be exploited to execute arbitrary HTML and script > code in a user''s browser session in the context of an affected site. > > Successful exploitation requires that the victim uses Microsoft > Internet Explorer. > > The vulnerability is reported in the following products and > versions: > * Horde Groupware Webmail Edition version 1.1.3 > * Horde Groupware Webmail Edition version 1.2 > * Horde Groupware version 1.1.3 > * Horde Groupware version 1.2 > * Horde version H3 (3.3) > * Horde version H3 (3.2.2) > > SOLUTION: > Update to the latest versions. > > Horde Groupware Webmail Edition: > Update to version 1.1.4 or 1.2.1. > > Horde Groupware: > Update to version 1.1.4 or 1.2.1. > > Horde H3: > Update to version 3.3.1 or 3.2.3. > > PROVIDED AND/OR DISCOVERED BY: > Reported by the vendor. > > ORIGINAL ADVISORY: > Horde: > http://lists.horde.org/archives/announce/2008/000462.html > http://lists.horde.org/archives/announce/2008/000464.html > http://lists.horde.org/archives/announce/2008/000466.html > http://lists.horde.org/archives/announce/2008/000467.html > http://lists.horde.org/archives/announce/2008/000471.html > http://lists.horde.org/archives/announce/2008/000472.htmlIf you fix the vulnerability please also make sure to include the CVE id (if available) in the changelog entry. [1]http://secunia.com/advisories/33521/ Cheers, Giuseppe. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkl4Jw8ACgkQNxpp46476arrOACfYTndANKV+d2LHoyJtvBCEg3Q DaQAnjMsDG7fAzeeIvx78BaYdO9c+7CU =vF5g -----END PGP SIGNATURE-----