[pkg-horde] Bug#434045: horde3: Cross-site scripting (XSS) vulnerability

Steffen Joeris white at debian.org
Sat Jul 21 14:21:08 UTC 2007


Package: horde3
Severity: grave
Tags: security
Justification: user security hole

Hi mate

A possible security hole has been discovered in horde3.
The CVE[0] text says:


Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php
in Horde Framework before 3.1.4 RC1, when the login page contains
a language selection box, allows remote attackers to inject 
arbitrary web script or HTML via the new_lang parameter to login.php.

It states that all the versions in Debian are effected. Feel
free to downgrade the bug, if I am mistaken.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1473




More information about the pkg-horde-hackers mailing list