Debian: DSA-1966-1 Critical: Horde3 Cross-Site Scripting Threat
debian
January 7, 2010
Several vulnerabilities have been found in horde3, the horde web application framework
Topics Covered
Summary
CVE-2009-3237
It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.
CVE-2009-3701
It has been discovered that the horde3 administration interface is prone
to cross-site scripting attacks due to the use of the PHP_SELF variable.
This issue can only be exploited by authenticated administrators.
CVE-2009-4363
It has been discovered that horde3 is prone to several cross-site
scripting attacks via crafted data:text/html values in HTML messages.
For the stable distribution (lenny), these problems have been fixed in
version 3.2.2+debian0-2+lenny2.
For the oldstable distribution (etch), these problems have been fixed in
version 3.1.3-4etch7.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in ...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!