Horde Chora Remote Cross-Site Scripting Vulnerability
BID:13364
Info
Horde Chora Remote Cross-Site Scripting Vulnerability
| Bugtraq ID: | 13364 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 25 2005 12:00AM |
| Updated: | Apr 25 2005 12:00AM |
| Credit: | The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue. |
| Vulnerable: |
Horde Project Chora 1.2.2 Horde Project Chora 1.2.1 Horde Project Chora 1.2 Horde Project Chora 1.1 Gentoo Linux |
| Not Vulnerable: |
Horde Project Chora 1.2.3 |
Discussion
Horde Chora Remote Cross-Site Scripting Vulnerability
A remote cross-site scripting vulnerability affects Horde Chora. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
A remote cross-site scripting vulnerability affects Horde Chora. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Exploit / POC
Horde Chora Remote Cross-Site Scripting Vulnerability
No exploit is required to leverage this issue.
No exploit is required to leverage this issue.
Solution / Fix
Horde Chora Remote Cross-Site Scripting Vulnerability
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-chora-1.2.3"
Please see the referenced advisory for further information.
Horde Project Chora 1.1
Horde Project Chora 1.2
Horde Project Chora 1.2.1
Horde Project Chora 1.2.2
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-chora-1.2.3"
Please see the referenced advisory for further information.
Horde Project Chora 1.1
-
Horde Chora 1.2.3
http://www.horde.org/chora/download/
Horde Project Chora 1.2
-
Horde Chora 1.2.3
http://www.horde.org/chora/download/
Horde Project Chora 1.2.1
-
Horde Chora 1.2.3
http://www.horde.org/chora/download/
Horde Project Chora 1.2.2
-
Horde Chora 1.2.3
http://www.horde.org/chora/download/
References
Horde Chora Remote Cross-Site Scripting Vulnerability
References:
References:
- Chora Homepage (Horde Project)
- Pandora Homepage (Pandora FMS Team)