Vigil@nce: Horde, Cross Site Scripting
September 2008 by
SYNTHESIS
An attacker can generate two Cross Site Scripting in Horde
products.
Gravity: 2/4
Consequences: client access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 10/09/2008
Identifier: VIGILANCE-VUL-8102
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
The Horde, Horde Groupware and Horde Groupware Webmail Edition
products share the same source code and thus the same Cross Site
Scripting vulnerabilities.
HTML messages are not correctly filtered, which can be used by an
attacker for Cross Site Scripting attacks. [grav:2/4;
CVE-2008-3824]
The MIME library does not correctly filter its output, which can
be used by an attacker for Cross Site Scripting attacks.
[grav:2/4; CVE-2008-3823]
CHARACTERISTICS
Identifiers: CVE-2008-3823, CVE-2008-3824, ocert-2008-012,
VIGILANCE-VUL-8102