horde-base -- XSS and CSRF vulnerabilities

Description:

The Horde team reports:

Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability.

Thanks to Secunia for releasing an advisory for the new CSRF protection in the preference interface

The major changes compared to Horde version 3.3.8 are:

* Fixed XSS vulnerability in util/icon_browser.php.

* Protected preference forms against CSRF attacks.

References:

URL: <http://article.gmane.org/gmane.comp.horde.announce/515>
URL: <http://cvs.horde.org/diff.php/horde/docs/CHANGES?rt=horde&r1=1.515.2.607&r2=1.515.2.620&ty=h>
URL: <http://secunia.com/advisories/39860/>
URL: <http://holisticinfosec.org/content/view/145/45/>

Affects:

horde-base <3.3.9

portaudit: horde-base -- XSS and CSRF vulnerabilities

Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.

If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Team. Refer to "FreeBSD Security Information" for more information.

Oliver Eikemeier <eik@FreeBSD.org>