[Tickets #14926] Re: Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing Emails <= v5.2.22
noreply at bugs.horde.org
noreply at bugs.horde.org
Tue Dec 3 02:57:18 UTC 2019
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: https://bugs.horde.org/ticket/14926
------------------------------------------------------------------------------
Ticket | 14926
Updated By | roberto at debian.org
Summary | Horde Webmail - XSS + CSRF to SQLi, RCE, Stealing
| Emails <= v5.2.22
Queue | Horde Groupware
Version | 5.2.22
Type | Bug
State | Resolved
Priority | 3. High
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
roberto at debian.org (2019-12-03 02:57) wrote:
The original report included the following:
> # Attacker can combine "CSRF vulnerability in Trean Bookmarks
> (defaultly installed on Horde Groupware)" and
> # "Stored XSS vulnerability in Horde TagCloud (defaultly installed)"
> vulnerabilities to steal victim's emails.
>
> # Also:
> # Attacker can use 3 different reflected XSS vulnerability to
> exploit Remote Command Execution, SQL Injection and Code Execution.
I am working on updating the Horde packages in Debian LTS, also
coordinating with the security team for an update to Debian stable,
and so some clarification would help.
It is clear that the TagCloud XSS (CVE-2019-12094) was fixed and the
associated commit was easy to find and applied cleanly to the Horde
package in Debian. It is also clear that the CSRF (CVE-2019-12095)
has been deemed minor and not worth fixing. However, it is not clear
that the "3 different reflected XSS vulnerability" have been
addressed. Is there an additional vulnerability there beyond those
two which received CVE assignments? Answering this would help ensure
that we properly track the state of Horde in Debian.
More information about the bugs
mailing list