Horde Accounts Module Remote Cross-Site Scripting Vulnerability
BID:13365
Info
Horde Accounts Module Remote Cross-Site Scripting Vulnerability
| Bugtraq ID: | 13365 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 25 2005 12:00AM |
| Updated: | Apr 25 2005 12:00AM |
| Credit: | The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue. |
| Vulnerable: |
Horde Accounts Module 2.1.1 Horde Accounts Module 2.1 Gentoo Linux |
| Not Vulnerable: |
Horde Accounts Module 2.1.2 |
Discussion
Horde Accounts Module Remote Cross-Site Scripting Vulnerability
A remote cross-site scripting vulnerability affects Horde Accounts Module. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
A remote cross-site scripting vulnerability affects Horde Accounts Module. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in dynamically generated Web content.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
Exploit / POC
Horde Accounts Module Remote Cross-Site Scripting Vulnerability
No exploit is required to leverage this issue.
No exploit is required to leverage this issue.
Solution / Fix
Horde Accounts Module Remote Cross-Site Scripting Vulnerability
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-accounts-2.1.2"
Please see the referenced advisory for further information.
Horde Accounts Module 2.1
Horde Accounts Module 2.1.1
Solution:
The vendor has released an upgrade dealing with this issue.
Gentoo Linux has released advisory GLSA 200505-01 to address this, and other issues. Users of affected packages are urged to execute the following commands with superuser privileges:
All Horde users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-2.2.8"
All Horde Vacation users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose ">=www-apps/horde-accounts-2.1.2"
Please see the referenced advisory for further information.
Horde Accounts Module 2.1
-
Horde Accounts Module 2.1.2
http://www.horde.org/accounts/download/
Horde Accounts Module 2.1.1
-
Horde Accounts Module 2.1.2
http://www.horde.org/accounts/download/
References
Horde Accounts Module Remote Cross-Site Scripting Vulnerability
References:
References:
- Accounts Module Home Page (Horde Project)
- Pandora Homepage (Pandora FMS Team)