[pkg-horde] Bug#434045: horde3: Cross-site scripting (XSS) vulnerability
Steffen Joeris
white at debian.org
Sat Jul 21 14:21:08 UTC 2007
Package: horde3
Severity: grave
Tags: security
Justification: user security hole
Hi mate
A possible security hole has been discovered in horde3.
The CVE[0] text says:
Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php
in Horde Framework before 3.1.4 RC1, when the login page contains
a language selection box, allows remote attackers to inject
arbitrary web script or HTML via the new_lang parameter to login.php.
It states that all the versions in Debian are effected. Feel
free to downgrade the bug, if I am mistaken.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1473
More information about the pkg-horde-hackers
mailing list