Horde IMP Webmail Client Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	53435
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	May 09 2012 12:00AM
Updated:	May 30 2012 07:50PM
Credit:	The vendor reported these issues.
Vulnerable:	Horde Project IMP 5.0.18 Horde Project IMP 5.0.17 Horde Project IMP 5.0.16 Horde Project IMP 5.0.4-Git Horde Project IMP 5.0.3 Horde Project IMP 5.0.2 Horde Project IMP 5.0.1 Horde Project IMP 5.0 Rc2 Horde Project IMP 5.0 Rc1 Horde Project IMP 5.0 Beta1 Horde Project IMP 5.0 Alpha1 Horde Project IMP 5.0 Horde Horde Groupware Webmail Edition 4.0.7 Horde Horde Groupware Webmail Edition 4.0.4 Horde Horde Groupware Webmail Edition 4.0.3
Not Vulnerable:	Horde Project IMP 5.0.21 Horde Horde Groupware Webmail Edition 4.0.8

Horde IMP Webmail Client Multiple Cross Site Scripting Vulnerabilities

Horde IMP Webmail Client is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Versions prior to IMP 5.0.21 are vulnerable.

Horde IMP Webmail Client Multiple Cross Site Scripting Vulnerabilities

Attackers can exploit these issues by enticing an unsuspecting user to follow a malicious URI.

Horde IMP Webmail Client Multiple Cross Site Scripting Vulnerabilities

Solution:
Vendor updates are available. Please see the references for more information.

Horde IMP Webmail Client Multiple Cross Site Scripting Vulnerabilities

References:

• [announce] Horde Groupware Webmail Edition 4.0.8 (final) (Horde Project)
  
• [announce] IMP H4 (5.0.21) (final) (Horde Project)
  
• Horde Groupware Webmail Edition Release 4.0.8 Changelog (Horde Project)
  
• IMP Homepage (Horde Project)
  
• Released imp-5.0.21 (Horde Project)