GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Wed Nov 23, 2005 8:43 am Post subject: [ GLSA 200511-20 ] Horde Application Framework: XSS vulnerab |
|
|
Gentoo Linux Security Advisory
Title: Horde Application Framework: XSS vulnerability (GLSA 200511-20)
Severity: low
Exploitable: remote
Date: November 22, 2005
Bug(s): #112491
ID: 200511-20
Synopsis
The Horde Application Framework is vulnerable to a cross-site scripting vulnerability which could lead to the compromise of the victim's browser content.
Background
The Horde Application Framework is a general-purpose web application framework written in PHP, providing classes for handling preferences, compression, browser detection, connection tracking, MIME, and more.
Affected Packages
Package: www-apps/horde
Vulnerable: < 2.2.9
Unaffected: >= 2.2.9
Architectures: All supported architectures
Description
The Horde Team reported a potential XSS vulnerability. Horde fails to properly escape error messages which may lead to displaying unsanitized error messages via Notification_Listener::getMessage()
Impact
By enticing a user to read a specially-crafted e-mail or using a manipulated URL, an attacker can execute arbitrary scripts running in the context of the victim's browser. This could lead to a compromise of the user's browser content.
Workaround
There is no known workaround at this time.
Resolution
All Horde Application Framework users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.9" |
References
CVE-2005-3570
Horde Announcement
Last edited by GLSA on Sun May 07, 2006 4:59 pm; edited 1 time in total |
|