CVE-2009-4363
Published: 21 December 2009
Text_Filter/lib/Horde/Text/Filter/Xss.php in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 does not properly handle data: URIs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via data:text/html values for the HREF attribute of an A element in an HTML e-mail message. NOTE: the vendor states that the issue is caused by "an XSS vulnerability in Firefox browsers."
Priority
Status
| Package | Release | Status |
|---|---|---|
|
horde3 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Released
(3.2.2+debian0-2+lenny2build0.9.04.1)
|
|
| karmic |
Ignored
(end of life)
|
|
| lucid |
Not vulnerable
(3.3.6+debian0-2)
|
|
| maverick |
Not vulnerable
(3.3.6+debian0-2)
|
|
| natty |
Not vulnerable
(3.3.6+debian0-2)
|
|
| oneiric |
Not vulnerable
(3.3.6+debian0-2)
|
|
| upstream |
Released
(3.3.6)
|
|
|
Patches: vendor: http://www.debian.org/security/2010/dsa-1966 |
||