GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun May 01, 2005 4:25 pm Post subject: [ GLSA 200505-01 ] Horde Framework: Multiple XSS vulnerabili |
|
|
Gentoo Linux Security Advisory
Title: Horde Framework: Multiple XSS vulnerabilities (GLSA 200505-01)
Severity: low
Exploitable: remote
Date: May 01, 2005
Bug(s): #90365
ID: 200505-01
Synopsis
Various modules of the Horde Framework are vulnerable to multiple
cross-site scripting (XSS) vulnerabilities.
Background
The Horde Framework is a PHP based framework for building web
applications. It provides many modules including calendar, address
book, CVS viewer and Internet Messaging Program.
Affected Packages
Package: www-apps/horde-vacation
Vulnerable: < 2.2.2
Unaffected: >= 2.2.2
Architectures: All supported architectures
Package: www-apps/horde-turba
Vulnerable: < 1.2.5
Unaffected: >= 1.2.5
Architectures: All supported architectures
Package: www-apps/horde-passwd
Vulnerable: < 2.2.2
Unaffected: >= 2.2.2
Architectures: All supported architectures
Package: www-apps/horde-nag
Vulnerable: < 1.1.3
Unaffected: >= 1.1.3
Architectures: All supported architectures
Package: www-apps/horde-mnemo
Vulnerable: < 1.1.4
Unaffected: >= 1.1.4
Architectures: All supported architectures
Package: www-apps/horde-kronolith
Vulnerable: < 1.1.4
Unaffected: >= 1.1.4
Architectures: All supported architectures
Package: www-apps/horde-imp
Vulnerable: < 3.2.8
Unaffected: >= 3.2.8
Architectures: All supported architectures
Package: www-apps/horde-accounts
Vulnerable: < 2.1.2
Unaffected: >= 2.1.2
Architectures: All supported architectures
Package: www-apps/horde-forwards
Vulnerable: < 2.2.2
Unaffected: >= 2.2.2
Architectures: All supported architectures
Package: www-apps/horde-chora
Vulnerable: < 1.2.3
Unaffected: >= 1.2.3
Architectures: All supported architectures
Package: www-apps/horde
Vulnerable: < 2.2.8
Unaffected: >= 2.2.8
Architectures: All supported architectures
Description
Cross-site scripting vulnerabilities have been discovered in
various modules of the Horde Framework.
Impact
These vulnerabilities could be exploited by an attacker to execute
arbitrary HTML and script code in context of the victim's browser.
Workaround
There is no known workaround at this time.
Resolution
All Horde users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8" |
All Horde Vacation users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-vacation-2.2.2" |
All Horde Turba users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-turba-1.2.5" |
All Horde Passwd users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-passwd-2.2.2" |
All Horde Nag users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-nag-1.1.3" |
All Horde Mnemo users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-1.1.4" |
All Horde Kronolith users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-kronolith-1.1.4" |
All Horde IMP users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-imp-3.2.8" |
All Horde Accounts users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-accounts-2.1.2" |
All Horde Forwards users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-forwards-2.2.2" |
All Horde Chora users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-chora-1.2.3" |
References
Horde Announcement
Last edited by GLSA on Wed Jun 15, 2011 4:19 am; edited 3 times in total |
|