'Re: [oss-security] CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-11-23 18:36:57
Message-ID: 50AFC249.7070108 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/23/2012 10:46 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
> 
> Horde upstream within Horde Groupware Webmail Edition version
> 4.0.9 release corrected also one XSS issue in IMP: [1]
> http://lists.horde.org/archives/announce/2012/000840.html * Mail
> changes: * Fixed obscure XSS issue when uploading attachments.
> 
> Upstream patch:
> https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2
>
> 
References:
https://github.com/horde/horde/blob/1550c6ecd7204f9579fcbb09ec7089e01b0771e2/imp/docs/CHANGES
> 
> Could you allocate a CVE id for this?
> 
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
> 
> P.S.: No Red Hat bugzilla entry available, since this issue did
> not affect versions of IMP, as shipped with Fedora / Fedora EPEL.
> 
> P.S.#2: The other XSS from [1]: Calendar changes: * Fixed XSS issue
> in portal blocks.
> 
> is already covered within my previous (Kronolith related) request.
> 

Please use CVE-2012-5565 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQr8JJAAoJEBYNRVNeJnmTPswP/2M1CsC7Iirut0OYhaQWjPEj
Qqvab1qDeKw8QyxASBOarOEEWpXbbIhJ6DrmdBxlnI7zZAAo/SFiQKqqFKw8J0t3
7DzKUzVk/HymGz8ZbtECW9DT116jDGGLXP9zhH+LGB39Q98woSE9Fzr0ZlgV6gmk
zwkurc/tb6xz03VQgceex8DwEn+Xm/7uFez3cxcK4zgy6AKUKIX3n9kbUIv8tpV6
mn41PaJojZ8sZMSzgIhcXz/0SYK0doA9oRvpyHWTQGE3gqF1rtz2kxYVNNg2VnAf
udQ7jPHQTh8Wb5O47Uhgw/m1ywvys8V1Kh+5KcSBAmjFsctFBoPKjs+vEOqia+EM
fb3QDRtastF3WiRUbtnCQEPvXA/DEOnt9Za5cvstofxThIMhtzYInKbnUws1SMeI
c/z+Z3386DI4L7mbb0cOBlEGE/4PEvoohu7uueKsKE7Rc1bNYJvjuAWA8QkCBrcW
LwedfuXoeO6zBH6lx1H65/XfNXFvL9fqlCKhEv8i9129zcAbbIWZNwxi46kAtP6Q
m4NvvowC68HOCeMrr3Tz10JEZvLfmsveoR2X219wa4vZJk6Z7pkHBAocI2qMbEaM
YbSO0I1URvtCYH2OCMFLMiMJBuurBBrZ82QwM5GkN1dypNnGSSL3r6UzJvbCnRHe
vTbrDfwM5z4P2JjrSxpV
=G5Z1
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic