[Tickets #15190] Security: IMP HTML Email view does not sanitize against javascript in the onerror property
noreply at bugs.horde.org
noreply at bugs.horde.org
Thu May 15 09:55:52 UTC 2025
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: https://bugs.horde.org/ticket/15190
------------------------------------------------------------------------------
Ticket | 15190
Created By | natasa.jakec at gmail.com
Summary | Security: IMP HTML Email view does not sanitize against
| javascript in the onerror
| property
Queue | IMP
Version | FRAMEWORK_6_0
Type | Bug
State | Assigned
Priority | 3. High
Milestone |
Patch |
Owners | Ralf Lang
------------------------------------------------------------------------------
natasa.jakec at gmail.com (2025-05-15 11:55) wrote:
See Re: [horde] Horde v 5.2.22 vulnerability ? obfuscation via HTML
encoding ? XSS payload
Quick remedy is to disable HTML display.
Proper solution needs server-side filtering against javascript.
This was originally reported against Horde 5.2 - unsure if a patch can
be backported.
More information about the bugs
mailing list