Debian
horde3 package

Horde3 CVE-2008-3330 XSS

Bug #252475 reported by Emanuele Gentili
256
Affects Status Importance Assigned to Milestone
horde3 (Debian)
Fix Released
Undecided
Unassigned
horde3 (Ubuntu)
Fix Released
Medium
Emanuele Gentili
Intrepid
Fix Released
Medium
Emanuele Gentili

Bug Description

Cross-site scripting (XSS) vulnerability in services/obrowser/index.php in Horde 3.2 and Turba 2.2 allows remote attackers to inject arbitrary web script or HTML via the contact name.

CVE:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3330

CVE References

Emanuele Gentili (emgent)
Changed in horde3:
assignee: nobody → emgent
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Emanuele Gentili (emgent) wrote :

Only intrepid vulnerable. and fixed via Debian.
Closing bug..

Changed in horde3:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in horde3:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in horde3:
status: New → Fix Committed
Revision history for this message
Artur Rona (ari-tczew) wrote :

 horde3 (3.1.3-4etch5) oldstable-security; urgency=high

   * Backport a patch from Horde upstream to fix an IE-only hole in XSS filter
    (See CVE-2008-5917 for more information). (Closes: #512592)
   * Backport a patch from Horde upstream to fix a file inclusion issue in
     Horde_Image driver name (Image/Image.php). (Closes: #513265)
   * Fix small XSS/unescaped output vulnerability in services/obrowser/index.php
     (see CVE-2008-3330 for more informations). (Closes: #492578)

 -- Gregory Colpart <email address hidden> Thu, 29 Jan 2009 03:17:37 +0100

Changed in horde3 (Debian):
importance: Unknown → Undecided
status: Fix Committed → New
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.