FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-3824

This CVE name corresponds to:

Entered Topic
2008-09-11 horde -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2008-3824
Phase Assigned(20080827)

Description

Cross-site scripting (XSS) vulnerability in (1) Text_Filter/Filter/xss.php in Horde 3.1.x before 3.1.9 and 3.2.x before 3.2.2 and (2) externalinput.php in Popoon r22196 and earlier allows remote attackers to inject arbitrary web script or HTML by using / (slash) characters as replacements for spaces in an HTML e-mail message.

References

Source Reference
BUGTRAQ 20080910 [oCERT-2008-012] Horde, Popoon frameworks common input sanitization errors (XSS)
MLIST [horde-announce] 20080910 Horde 3.1.9 (final)
MLIST [horde-announce] 20080910 [SECURITY] Horde 3.2.2 (final)
MLIST [oss-security] 20080910 [oCERT-2008-012] Horde, Popoon frameworks common input sanitization errors (XSS)
MISC http://ocert.org/patches/2008-012/Text_Filter.31.patch
MISC http://ocert.org/patches/2008-012/Text_Filter.patch
MISC http://www.ocert.org/advisories/ocert-2008-012.html
CONFIRM http://blog.liip.ch/missed-case-in-externalinput-php-resulting-in-viable-xss-attacks.html
CONFIRM http://www.phpmyfaq.de/advisory_2008-09-11.php
BID 31107
OSVDB 47996
VUPEN ADV-2008-2548
SECUNIA 31842
SREASON 4245
XF horde-htmlmessages-xss(45031)