[announce] [SECURITY] Horde Groupware 5.2.16 (final)
Jan Schneider
jan at horde.org
Tue Sep 6 19:36:49 UTC 2016
The Horde Team is pleased to announce the final release of the Horde Groupware
version 5.2.16.
Horde Groupware is a free, enterprise ready, browser based collaboration
suite. Users can manage and share calendars, contacts, tasks, notes,
files, and
bookmarks with the standards compliant components from the Horde Project.
For upgrading instructions, please see
http://www.horde.org/apps/groupware/docs/UPGRADING
For detailed installation and configuration instructions, please see
http://www.horde.org/apps/groupware/docs/INSTALL
Thanks to Liuzhu for reporting the XSS vulnerability via data:text/html
content.
Thanks to Dawid Gounski for reporting the missing CSRF token in the
configuration form and the XSS vulnerability with SVG images via Beyond
Security's SecuriTeam Secure Disclosure program.
Thanks to Florian Köllich for reporting the XSS vulnerability and open URL
redirection in the portal forms.
The major changes compared to the Horde Groupware version 5.2.15 are:
Security fixes:
* Fixed an XSS vulnerability via data:text/html content of form action and
xlink attributes.
* Added CSRF protection tokens to the portal layout forms.
* Fixed an open URL redirection in the portal layout forms.
* Enabled CSRF tokens in the configuration forms.
* Don't render SVG images in the browser to avoid XSS attacks
General changes:
* Several bugfixes and improvements.
Tasks changes:
* Fixed sorting of recurring tasks by due date.
The full list of changes can be viewed here:
https://github.com/horde/horde/blob/72433fdb14f886c237f0a766ef4b79d4df73b22e/bundles/groupware/docs/CHANGES
Have fun!
The Horde Team.
More information about the announce
mailing list