[horde] [announce] [SECURITY] XSS vulnerability in Horde_Mime_Viewer_Ooo
Frank Richter
frank.richter at hrz.tu-chemnitz.de
Wed Mar 2 09:00:28 UTC 2022
Am 01.03.22 um 22:19 schrieb Jan Schneider:
> The Horde Team is pleased to announce the final release of the
> Horde_Mime_Viewer library version 2.2.3.
>
> Horde_Mime_Viewer is a library that provides rendering drivers for MIME data.
>
> An XSS vulnerability in the Open Document viewer has been reported by
> Simon Scannell from SonarSource. You can find the full report and
> mitigation measures at
> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>
> Thanks to Simon Scannell for reporting this issue and for the detailed
> report, and apologies for not releasing a fix within the disclosure embargo.
Thanks. Is the mentioned mitigation ('disable' => true in
config/mime_drivers.php or better in mime_drivers.local.php) superfluous by
this new version?
BTW: What about this one:
https://www.zerodayinitiative.com/advisories/ZDI-20-1051/ –
https://github.com/horde/imp/pull/7
Regards
Frank
--
Frank Richter
Chemnitz university of Technolgy, Germany
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5950 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220302/f0e05eba/attachment.bin>
More information about the horde
mailing list