Joined: 12 May 2004
|Posted: Wed Nov 23, 2005 8:43 am Post subject: [ GLSA 200511-20 ] Horde Application Framework: XSS vulnerab
|Gentoo Linux Security Advisory
Title: Horde Application Framework: XSS vulnerability (GLSA 200511-20)
Date: November 22, 2005
The Horde Application Framework is vulnerable to a cross-site scripting vulnerability which could lead to the compromise of the victim's browser content.
The Horde Application Framework is a general-purpose web application framework written in PHP, providing classes for handling preferences, compression, browser detection, connection tracking, MIME, and more.
Vulnerable: < 2.2.9
Unaffected: >= 2.2.9
Architectures: All supported architectures
The Horde Team reported a potential XSS vulnerability. Horde fails to properly escape error messages which may lead to displaying unsanitized error messages via Notification_Listener::getMessage()
By enticing a user to read a specially-crafted e-mail or using a manipulated URL, an attacker can execute arbitrary scripts running in the context of the victim's browser. This could lead to a compromise of the user's browser content.
There is no known workaround at this time.
All Horde Application Framework users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.9"
Last edited by GLSA on Sun May 07, 2006 4:59 pm; edited 1 time in total