Horde MNemo Remote Cross-Site Scripting Vulnerability
BID:13362
Info
Horde MNemo Remote Cross-Site Scripting Vulnerability
| Bugtraq ID: | 13362 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 25 2005 12:00AM |
| Updated: | Apr 25 2005 12:00AM |
| Credit: | The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue. |
| Vulnerable: |
Horde Project Mnemo 1.1.3 Horde Project Mnemo 1.1.2 Horde Project Mnemo 1.1.1 Horde Project Mnemo 1.1 Gentoo Linux |
| Not Vulnerable: |
Horde Project Mnemo 1.1.4 |
Discussion
Horde MNemo Remote Cross-Site Scripting Vulnerability
A remote cross-site scripting vulnerability affects Horde Mnemo. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
A remote cross-site scripting vulnerability affects Horde Mnemo. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Exploit / POC
Horde MNemo Remote Cross-Site Scripting Vulnerability
No exploit is required to leverage this issue.
No exploit is required to leverage this issue.
Solution / Fix
Horde MNemo Remote Cross-Site Scripting Vulnerability
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-1.1.4"
Please see the referenced advisory for further information.
Horde Project Mnemo 1.1
Horde Project Mnemo 1.1.1
Horde Project Mnemo 1.1.2
Horde Project Mnemo 1.1.3
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-mnemo-1.1.4"
Please see the referenced advisory for further information.
Horde Project Mnemo 1.1
-
Horde Mnemo 1.1.4
http://www.horde.org/mnemo/download/
Horde Project Mnemo 1.1.1
-
Horde Mnemo 1.1.4
http://www.horde.org/mnemo/download/
Horde Project Mnemo 1.1.2
-
Horde Mnemo 1.1.4
http://www.horde.org/mnemo/download/
Horde Project Mnemo 1.1.3
-
Horde Mnemo 1.1.4
http://www.horde.org/mnemo/download/
References
Horde MNemo Remote Cross-Site Scripting Vulnerability
References:
References:
- Mnemo Home Page (Horde Project)
- Pandora Homepage (Pandora FMS Team)