[horde] [announce] [SECURITY] XSS vulnerability in Horde_Mime_Viewer_Ooo
Jan Schneider
jan at horde.org
Wed Mar 2 21:11:52 UTC 2022
Zitat von Frank Richter <frank.richter at hrz.tu-chemnitz.de>:
> Am 01.03.22 um 22:19 schrieb Jan Schneider:
>> The Horde Team is pleased to announce the final release of the
>> Horde_Mime_Viewer library version 2.2.3.
>>
>> Horde_Mime_Viewer is a library that provides rendering drivers for
>> MIME data.
>>
>> An XSS vulnerability in the Open Document viewer has been reported
>> by Simon Scannell from SonarSource. You can find the full report
>> and mitigation measures at
>> https://blog.sonarsource.com/horde-webmail-account-takeover-via-email
>>
>> Thanks to Simon Scannell for reporting this issue and for the
>> detailed report, and apologies for not releasing a fix within the
>> disclosure embargo.
>
> Thanks. Is the mentioned mitigation ('disable' => true in
> config/mime_drivers.php or better in mime_drivers.local.php)
> superfluous by this new version?
Yes, it's no longer necessary.
--
Jan Schneider
The Horde Project
https://www.horde.org/
More information about the horde
mailing list