Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments.
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 23 Nov 2012 11:36:57 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/23/2012 10:46 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

Horde upstream within Horde Groupware Webmail Edition version
4.0.9 release corrected also one XSS issue in IMP: [1]
http://lists.horde.org/archives/announce/2012/000840.html * Mail
changes: * Fixed obscure XSS issue when uploading attachments.

Upstream patch:
https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2


References:
https://github.com/horde/horde/blob/1550c6ecd7204f9579fcbb09ec7089e01b0771e2/imp/docs/CHANGES

Could you allocate a CVE id for this?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team

P.S.: No Red Hat bugzilla entry available, since this issue did
not affect versions of IMP, as shipped with Fedora / Fedora EPEL.

P.S.#2: The other XSS from [1]: Calendar changes: * Fixed XSS issue
in portal blocks.

is already covered within my previous (Kronolith related) request.


Please use CVE-2012-5565 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQr8JJAAoJEBYNRVNeJnmTPswP/2M1CsC7Iirut0OYhaQWjPEj
Qqvab1qDeKw8QyxASBOarOEEWpXbbIhJ6DrmdBxlnI7zZAAo/SFiQKqqFKw8J0t3
7DzKUzVk/HymGz8ZbtECW9DT116jDGGLXP9zhH+LGB39Q98woSE9Fzr0ZlgV6gmk
zwkurc/tb6xz03VQgceex8DwEn+Xm/7uFez3cxcK4zgy6AKUKIX3n9kbUIv8tpV6
mn41PaJojZ8sZMSzgIhcXz/0SYK0doA9oRvpyHWTQGE3gqF1rtz2kxYVNNg2VnAf
udQ7jPHQTh8Wb5O47Uhgw/m1ywvys8V1Kh+5KcSBAmjFsctFBoPKjs+vEOqia+EM
fb3QDRtastF3WiRUbtnCQEPvXA/DEOnt9Za5cvstofxThIMhtzYInKbnUws1SMeI
c/z+Z3386DI4L7mbb0cOBlEGE/4PEvoohu7uueKsKE7Rc1bNYJvjuAWA8QkCBrcW
LwedfuXoeO6zBH6lx1H65/XfNXFvL9fqlCKhEv8i9129zcAbbIWZNwxi46kAtP6Q
m4NvvowC68HOCeMrr3Tz10JEZvLfmsveoR2X219wa4vZJk6Z7pkHBAocI2qMbEaM
YbSO0I1URvtCYH2OCMFLMiMJBuurBBrZ82QwM5GkN1dypNnGSSL3r6UzJvbCnRHe
vTbrDfwM5z4P2JjrSxpV
=G5Z1
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]