漏洞信息详情
Horde Application Framework XSS过滤器 跨站脚本攻击漏洞
- CNNVD编号:CNNVD-200901-239
- 危害等级: 中危
- CVE编号: CVE-2008-5917
- 漏洞类型: 跨站脚本
- 发布时间: 2009-01-21
- 威胁类型: 远程
- 更新时间: 2009-04-18
- 厂 商: horde
- 漏洞来源: Horde
漏洞简介
Horde Application Framework 3.2.2和3.3版本中的XSS过滤器(framework/Text_Filter/Filter/xss.php)存在跨站脚本攻击漏洞。当Internet Explorer被使用时,远程攻击者可以借助与style属性相关的未知向量,注入任意的web脚本或HTML。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接: Debian Linux 4.0 amd64 Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 ia-32 Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 arm Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 hppa Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 sparc Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 s/390 Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Horde Groupware 1.2 Horde horde-groupware-1.2.1.tar.gz http://ftp.horde.org/pub/horde-groupware/horde-groupware-1.2.1.tar.gz Debian Linux 4.0 powerpc Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 alpha Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 armel Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 m68k Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 mipsel Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Horde Groupware Webmail Edition 1.2 Horde horde-webmail-1.2.1.tar.gz http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.2.1.tar.gz Horde Horde 3.2 Horde patch-horde-3.2.2-3.2.3.gz ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.2.2-3.2.3.gz Debian Linux 4.0 ia-64 Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Debian Linux 4.0 mips Debian horde3_3.1.3-4etch5_all.deb http://security.debian.org/pool/updates/main/h/horde3/horde3_3.1.3-4et ch5_all.deb Horde Groupware Webmail Edition 1.1.3 Horde horde-webmail-1.1.4.tar.gz http://ftp.horde.org/pub/horde-webmail/horde-webmail-1.1.4.tar.gz Horde Horde 3.2.1 Horde patch-horde-3.2.2-3.2.3.gz ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.2.2-3.2.3.gz Horde Horde 3.2.2 Horde patch-horde-3.2.2-3.2.3.gz ftp://ftp.horde.org/pub/horde/patches/patch-horde-3.2.2-3.2.3.gz Horde Horde 3.3 Horde horde-3.3.1.tar.gz ftp://ftp.horde.org/pub/horde/horde-3.3.1.tar.gz
参考网址
来源: SECUNIA 名称: 34609 链接:http://secunia.com/advisories/34609 来源: SECUNIA 名称: 34418 链接:http://secunia.com/advisories/34418 来源: SUSE 名称: SUSE-SR:2009:007 链接:http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.HTML 来源: MLIST 名称: [announce] Horde 3.3.1 (final) 链接:http://lists.horde.org/archives/announce/2008/000464.HTML 来源: MLIST 名称: [announce] Horde 3.2.3 (final) 链接:http://lists.horde.org/archives/announce/2008/000462.HTML 来源: cvs.horde.org 链接:http://cvs.horde.org/diff.php/framework/Text_Filter/Filter/xss.php?r1=1.17&r2=1.18
受影响实体
- Horde Application_framework:3.3
- Horde Application_framework:3.2.2
补丁
暂无
评论