Lucene search

Gentoo FoundationGLSA-200802-03

HistoryFeb 11, 2008 - 12:00 a.m.

Horde IMP: Security bypass

2008-02-1100:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.009

Percentile

82.6%

JSON

Background

Horde IMP provides a web-based access to IMAP and POP3 mailboxes.

Description

Ulf Harnhammar, Secunia Research discovered that the “frame” and “frameset” HTML tags are not properly filtered out. He also reported that certain HTTP requests are executed without being checked.

Impact

A remote attacker could entice a user to open a specially crafted HTML e-mail, possibly resulting in the deletion of arbitrary e-mail messages.

Workaround

There is no known workaround at this time.

Resolution

All Horde IMP users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=www-apps/horde-imp-4.1.6"

OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-apps/horde-imp< 4.1.6UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	www-apps/horde-imp	< 4.1.6	UNKNOWN

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS

0.009

Percentile

82.6%

JSON

Related for GLSA-200802-03