Horde Kronolith Multiple Cross Site Scripting Vulnerabilities
BID:53731
Info
Horde Kronolith Multiple Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 53731 |
| Class: | Input Validation Error |
| CVE: |
CVE-2012-6620 |
| Remote: | Yes |
| Local: | No |
| Published: | May 14 2012 12:00AM |
| Updated: | Jan 24 2014 12:54AM |
| Credit: | The vendor reported these issues. |
| Vulnerable: |
Horde Project Kronolith 2.1.7 Horde Project Kronolith 2.1.6 Horde Project Kronolith 2.1.4 Horde Project Kronolith 2.1.3 Horde Project Kronolith 2.1.2 Horde Project Kronolith 2.1.1 Horde Project Kronolith 2.1 Horde Project Kronolith 3.0.16 Horde Horde Groupware Webmail Edition 4.0.7 Horde Horde Groupware Webmail Edition 4.0.4 Horde Horde Groupware Webmail Edition 4.0.3 Horde Horde Groupware 4.0.5 Horde Horde Groupware 4.0.7 Horde Horde Groupware 4.0.4 Horde Horde Groupware 4.0.3 Horde Dynamic Imp 1.0 |
| Not Vulnerable: |
Horde Project Kronolith 3.0.17 Horde Horde Groupware Webmail Edition 4.0.8 Horde Horde Groupware 4.0.8 |
Discussion
Horde Kronolith Multiple Cross Site Scripting Vulnerabilities
Horde Kronolith is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Kronolith 3.0.17 are vulnerable.
Horde Kronolith is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Kronolith 3.0.17 are vulnerable.
Exploit / POC
Horde Kronolith Multiple Cross Site Scripting Vulnerabilities
Attackers can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
Attackers can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
Solution / Fix
Horde Kronolith Multiple Cross Site Scripting Vulnerabilities
Solution:
Vendor updates are available. Please see the references for more information.
Solution:
Vendor updates are available. Please see the references for more information.
References
Horde Kronolith Multiple Cross Site Scripting Vulnerabilities
References:
References:
- [announce] Horde Groupware 4.0.8 (final) (Horde Project)
- [announce] Horde Groupware Webmail Edition 4.0.8 (final) (Horde Project)
- [announce] Kronolith H4 (3.0.17) (final) (Horde Project)
- Commit: Escape content (Bug #11189) (Horde Project)
- Horde Groupware 4.0.8 Changelog (Horde Project)
- Horde Groupware Webmail Edition Release 4.0.8 Changelog (Horde Project)
- Kronolith Homepage (Horde Project)