Horde Nag Remote Cross-Site Scripting Vulnerability
BID:13363
Info
Horde Nag Remote Cross-Site Scripting Vulnerability
| Bugtraq ID: | 13363 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 25 2005 12:00AM |
| Updated: | Apr 25 2005 12:00AM |
| Credit: | The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue. |
| Vulnerable: |
Horde Nag 1.1.2 Horde Nag 1.1.1 Horde Nag 1.1 Gentoo Linux |
| Not Vulnerable: |
Horde Nag 1.1.3 |
Discussion
Horde Nag Remote Cross-Site Scripting Vulnerability
A remote cross-site scripting vulnerability affects Horde Nag. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
A remote cross-site scripting vulnerability affects Horde Nag. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Exploit / POC
Horde Nag Remote Cross-Site Scripting Vulnerability
No exploit is required to leverage this issue.
No exploit is required to leverage this issue.
Solution / Fix
Horde Nag Remote Cross-Site Scripting Vulnerability
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-nag-1.1.3"
Please see the referenced advisory for further information.
Horde Nag 1.1
Horde Nag 1.1.1
Horde Nag 1.1.2
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-nag-1.1.3"
Please see the referenced advisory for further information.
Horde Nag 1.1
-
Horde Nag 1.1.3
http://www.horde.org/nag/download/
Horde Nag 1.1.1
-
Horde Nag 1.1.3
http://www.horde.org/nag/download/
Horde Nag 1.1.2
-
Horde Nag 1.1.3
http://www.horde.org/nag/download/
References
Horde Nag Remote Cross-Site Scripting Vulnerability
References:
References:
- Nag Home Page (Horde Project)
- Pandora Homepage (Pandora FMS Team)