oss-sec mailing list archives

CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments.

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Nov 2012 12:46:09 -0500 (EST)

Hello Kurt, Steve, vendors,

  Horde upstream within Horde Groupware Webmail Edition version 4.0.9
release corrected also one XSS issue in IMP:
[1] http://lists.horde.org/archives/announce/2012/000840.html
* Mail changes:
     * Fixed obscure XSS issue when uploading attachments.

  Upstream patch: https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2
  References: https://github.com/horde/horde/blob/1550c6ecd7204f9579fcbb09ec7089e01b0771e2/imp/docs/CHANGES

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: No Red Hat bugzilla entry available, since this issue did not
      affect versions of IMP, as shipped with Fedora / Fedora EPEL.

P.S.#2: The other XSS from [1]:
      Calendar changes:
      * Fixed XSS issue in portal blocks.

      is already covered within my previous (Kronolith related) request.

Current thread:

CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments. Jan Lieskovsky (Nov 23)
- Re: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments. Kurt Seifried (Nov 23)