Horde Groupware 1.2.5 and application_framework 3.3.3 Multiple Vulns

2009-12-23 / 2009-12-24
Credit: Jan Schneider
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

The Horde Team is pleased to announce the final release of the Horde Groupware version 1.2.5. This is a bugfix release that also fixes an XSS vulnerability in the administration interface and improves the XSS filter to work around an XSS vulnerability in Firefox browsers. Thanks to Juan Galiana Lara and Daniel Fernández Bleda from Internet Security Auditors for finding the XSS vulnerability in the administration interface. Horde Groupware is a free, enterprise ready, browser based collaboration suite. Users can manage and share calendars, contacts, tasks and notes with the standards compliant components from the Horde Project. The major changes compared to the Horde Groupware version 1.2.4 are: * Fixed XSS vulnerability in administrator scripts. * Several synchronization improvements. * Improved Oracle and MSSQL compatibility. * Fixed access keys on Mac browsers. * Fixed "white screen" issue with Internet Explorer. * Added preference for the name format to use for sorting contacts. * Support X-ANNIVERSARY, X-CHILDREN, and X-SPOUSE vCard fields. * Correctly track contact deletions during synchronization. * Fixed edge cases of weekly recurring events. * Fixed editing URLs of remote calendars. * Some speed improvements in the calendar. * Fixed importing task due dates. * Added Croatian translation. * Many further bug fixes and feature enhancements. The full list of changes (from version 1.2.4) can be viewed here: http://cvs.horde.org/diff.php/groupware/docs/groupware/CHANGES?r1=1.38.2.7&r2=1.38.2.9&ty=h The Horde Groupware 1.2.5 distribution is available from the following locations: ftp://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.5.tar.gz http://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.5.tar.gz Patches against version 1.2.4 are available at: ftp://ftp.horde.org/pub/horde-groupware/patches/patch-horde-groupware-1.2.4-1.2.5.gz http://ftp.horde.org/pub/horde-groupware/patches/patch-horde-groupware-1.2.4-1.2.5.gz Or, for quicker access, download from your nearest mirror: http://www.horde.org/mirrors.php MD5 sums for the packages are as follows: f4953165d90a73135904531807895481 horde-groupware-1.2.5.tar.gz 7c794a211c6261e6705bbad732fab2f7 patch-horde-groupware-1.2.4-1.2.5.gz Have fun! The Horde Team.

References:

http://marc.info/?l=horde-announce&m=126101076422179&w=2
http://marc.info/?l=horde-announce&m=126100750018478&w=2
http://lists.horde.org/archives/announce/2009/000529.html
http://securitytracker.com/id?1023365
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.559&r2=1.515.2.589&ty=h
http:/2000/bugs.horde.org/view.php?actionID=view_file&type=patch&file=0002-Bug-8715-Fix-XSS-vulnerability%5B1%5D.patch&ticket=8715
http://bugs.horde.org/ticket/8715


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top