oss-sec mailing list archives

CVE request: Horde Gollem <1.1.2 XSS in view.php

From: Alex Legler <a3li () gentoo org>
Date: Wed, 29 Sep 2010 21:20:10 +0200

Hi,

while there seem to be CVE IDs for most of the issues fixed in the
latest Horde packages, I cannot find one for this issue:

From http://bugs.horde.org/ticket/9191:

"http://localhost/horde/gollem/view.php?actionID=view_file&type=txt&file=<script>alert("XSS")</script>&dir=../baddir/&driver=file
Vulnerable file : view.php (Line 32 - 46)"

Fixed in git (and released in 1.1.2):
http://lists.horde.org/archives/commits/2010-August/004747.html
http://lists.horde.org/archives/announce/2010/000565.html

Thanks,
Alex
-- 
Alex Legler <a3li () gentoo org>
Gentoo Security/Ruby

Attachment: signature.asc
Description:

Current thread:

CVE request: Horde Gollem <1.1.2 XSS in view.php Alex Legler (Sep 29)
- Re: CVE request: Horde Gollem <1.1.2 XSS in view.php Josh Bressers (Sep 30)
- Re: CVE request: Horde Gollem <1.1.2 XSS in view.php Moritz Muehlenhoff (Sep 30)
  - Re: CVE request: Horde Gollem <1.1.2 XSS in view.php Alex Legler (Sep 30)