oss-sec mailing list archives
Re: CVE request: hastymail before 1.01 XSS
From: Josh Bressers <bressers () redhat com>
Date: Thu, 6 Jan 2011 13:50:37 -0500 (EST)
Please use CVE-2010-4646 for this. Thanks. -- JB ----- Original Message -----
See http://www.hastymail.org/security/ "Many thanks to Julien CAYSSOL who discovered and reported the issue. The specific problem is an XSS attack vector in HTML formatted messages that takes advantage of background attributes used with table cell elements. Due to an incorrect implementation of the new htmLawed HTML filter this attribute value was not properly sanitized and could be used to inject executable JavaScript. This was NOT a flaw in the htmLawed filter code itself, but a problem with it's specific use in Hastymail2. The Hastymail2 1.01 release was pacakages specifically to address this one issue. " -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail: hanno () hboeck de http://schokokeks.org - professional webhosting
Current thread:
- CVE request: hastymail before 1.01 XSS Hanno Böck (Jan 05)
- Re: CVE request: hastymail before 1.01 XSS Josh Bressers (Jan 06)