[horde] [announce] [SECURITY] XSS vulnerability in Horde_Mime_Viewer_Ooo
Frank Richter
frank.richter at hrz.tu-chemnitz.de
Wed Mar 2 09:51:27 UTC 2022
> Idézem/Quoting Frank Richter <frank.richter at hrz.tu-chemnitz.de>:
>
>> Am 01.03.22 um 22:19 schrieb Jan Schneider:
>>> The Horde Team is pleased to announce the final release of the
>>> Horde_Mime_Viewer library version 2.2.3.
>>>
>>> Horde_Mime_Viewer is a library that provides rendering drivers for MIME
>>> data.
>>>
>>> An XSS vulnerability in the Open Document viewer has been reported by
>>> Simon Scannell from SonarSource. You can find the full report and
>>> mitigation measures at
>>> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>>>
>>> Thanks to Simon Scannell for reporting this issue and for the detailed
>>> report, and apologies for not releasing a fix within the disclosure
>>> embargo.
>>
>> Thanks. Is the mentioned mitigation ('disable' => true in
>> config/mime_drivers.php or better in mime_drivers.local.php) superfluous
>> by this new version?
>
> Everyone encouraging you to edit non-local files makes your next upgrade
> fail.
> Files in a pear package will get overwritten thus your changes will
> disappear.
> Make changes in local files!
Yes, I did it already. My question was, if this change is superfluous with
Horde_Mime_Viewer library version 2.2.3.
I checked it and it looks so – preview of ooo files is disabled.
Thanks,
Frank
--
Frank Richter
Chemnitz University of Technology, Germany
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5950 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220302/2fcbd68c/attachment.bin>
More information about the horde
mailing list