[Tickets #15190] Re: Security: IMP HTML Email view does not sanitize against javascript in the onerror property
noreply at bugs.horde.org
noreply at bugs.horde.org
Thu May 15 15:33:32 UTC 2025
BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE
E-MAIL-ADRESSE WERDEN NICHT GELESEN.
Ticket-URL: https://bugs.horde.org/ticket/15190
------------------------------------------------------------------------------
Ticket | 15190
Aktualisiert Von | lauffer at ph-freiburg.de
Zusammenfassung | Security: IMP HTML Email view does not sanitize against
| javascript in the onerror property
Warteschlange | IMP
Version | FRAMEWORK_6_0
Typ | Bug
Status | Assigned
Priorität | 3. High
Milestone |
Patch |
Zuständige | Ralf Lang
------------------------------------------------------------------------------
natasa.jakec at gmail.com (2025-05-15 09:55) hat geschrieben:
See Re: [horde] Horde v 5.2.22 vulnerability ? obfuscation via HTML
encoding ? XSS payload
Quick remedy is to disable HTML display.
Proper solution needs server-side filtering against javascript.
This was originally reported against Horde 5.2 - unsure if a patch can
be backported.
More information about the bugs
mailing list