oss-security - CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue when uploading attachments.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <271664441.37279311.1353692769563.JavaMail.root@redhat.com>
Date: Fri, 23 Nov 2012 12:46:09 -0500 (EST)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Cc: "Steven M. Christey" <coley@...us.mitre.org>, security@...de.org
Subject: CVE Request -- (Horde) IMP (prior v5.0.24-git): Obscure XSS issue
 when uploading attachments.

Hello Kurt, Steve, vendors,

  Horde upstream within Horde Groupware Webmail Edition version 4.0.9
release corrected also one XSS issue in IMP:
[1] http://lists.horde.org/archives/announce/2012/000840.html
* Mail changes:
     * Fixed obscure XSS issue when uploading attachments.

  Upstream patch: https://github.com/horde/horde/commit/1550c6ecd7204f9579fcbb09ec7089e01b0771e2
  References: https://github.com/horde/horde/blob/1550c6ecd7204f9579fcbb09ec7089e01b0771e2/imp/docs/CHANGES

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: No Red Hat bugzilla entry available, since this issue did not
      affect versions of IMP, as shipped with Fedora / Fedora EPEL.

P.S.#2: The other XSS from [1]:
      Calendar changes:
      * Fixed XSS issue in portal blocks.

      is already covered within my previous (Kronolith related) request.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.