[Tickets #15190] Re: Security: IMP HTML Email view does not sanitize against javascript in the onerror property

noreply at bugs.horde.org noreply at bugs.horde.org
Thu May 15 15:33:32 UTC 2025


BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE  
E-MAIL-ADRESSE WERDEN NICHT GELESEN.

Ticket-URL: https://bugs.horde.org/ticket/15190
------------------------------------------------------------------------------
  Ticket           | 15190
  Aktualisiert Von | lauffer at ph-freiburg.de
  Zusammenfassung  | Security: IMP HTML Email view does not sanitize against
                   | javascript in the onerror property
  Warteschlange    | IMP
  Version          | FRAMEWORK_6_0
  Typ              | Bug
  Status           | Assigned
  Priorität        | 3. High
  Milestone        |
  Patch            |
  Zuständige       | Ralf Lang
------------------------------------------------------------------------------


natasa.jakec at gmail.com (2025-05-15 09:55) hat geschrieben:

See Re: [horde] Horde v 5.2.22 vulnerability ? obfuscation via HTML  
encoding ? XSS payload

Quick remedy is to disable HTML display.
Proper solution needs server-side filtering against javascript.

This was originally reported against Horde 5.2 - unsure if a patch can  
be backported.





More information about the bugs mailing list