FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

horde-base -- XSS and CSRF vulnerabilities

Affected packages
horde-base < 3.3.9

Details

VuXML ID 8fc55043-cb1e-11df-9c1b-0011098ad87f
Discovery 2010-06-03
Entry 2010-09-28

The Horde team reports:

Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability.

Thanks to Secunia for releasing an advisory for the new CSRF protection in the preference interface

The major changes compared to Horde version 3.3.8 are:

* Fixed XSS vulnerability in util/icon_browser.php.

* Protected preference forms against CSRF attacks.

References

URL http://article.gmane.org/gmane.comp.horde.announce/515
URL http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.607&r2=1.515.2.620&ty=h
URL http://holisticinfosec.org/content/view/145/45/
URL http://secunia.com/advisories/39860/