mailing list archives
CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Nov 2012 12:25:27 -0500 (EST)
Hello Kurt, Steve, vendors,
Horde upstream has recently released 3.0.18 version
of Kronolith, the Horde calendar application, correcting
one set of XSS flaws:
* Set #1: [mms] SECURITY: Fix XSS vulnerabilities in the portal blocks.
Upstream patch: http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e
References: ,  plus  https://bugzilla.redhat.com/show_bug.cgi?id=879684
Also previously (in version 3.0.17 yet another set of XSS flaws got corrected):
* Set #2: [jan] SECURITY: Fix XSS vulnerabilities in tasks view and search view (Bug #11189).
Upstream ticket:  http://bugs.horde.org/ticket/11189
Upstream patch:  http://git.horde.org/horde-git/-/commit/1228a6825a8dab3333d0a8c8986fc10d1f3d11b2
References: , , , 
Note: There isn't a Red Hat Bugzilla entry, since the kronolith 2.x
version based versions shipped, within Fedora / Fedora EPEL weren't
vulnerable to this problem yet.
Look at MITRE CVE database for kronolith:
suggests the last security flaws, a CVE ids has been assigned to, were the
[jan] SECURITY: Fix privilege escalation in Horde API. => CVE-2008-7218
[cjh] SECURITY: Fix missing ownership validation on share changes => CVE-2008-7219
so both of sets of the XSS issues (Set #1, Set #2) should still be lacking
(two) CVE identifiers.
Could you allocate them?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request -- kronolith: Two sets (3.0.17 && 3.0.18) of XSS flaws Jan Lieskovsky (Nov 23)