[Tickets #12803] CSRF and XSS in in Save search as a virtual address book
noreply at bugs.horde.org
noreply at bugs.horde.org
Mon Oct 28 21:37:04 UTC 2013
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/12803
------------------------------------------------------------------------------
Ticket | 12803
Created By | m.benetrix at e-secure.com.au
Summary | CSRF and XSS in in Save search as a virtual address
| book
Queue | Horde Groupware Webmail Edition
Version | 5.1.2
Type | Bug
State | Unconfirmed
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
m.benetrix at e-secure.com.au (2013-10-28 21:37) wrote:
CSRF and XSS were found in the "Save Search as a virtual address book"
functionality. A malicious attacker could launch a CSRF attack and
makes the user to save a malicious code into the "save search".This
functionality was found to miss the user's input sanitisation, making
it vulnerable to XSS.
So in order to exploit the XSS, a CSRF has to be launched before.
More information about the bugs
mailing list