horde -- Phishing and Cross-Site Scripting Vulnerabilities

ID E2E8D374-2E40-11DB-B683-0008743BF21A
Type freebsd
Reporter FreeBSD
Modified 2006-08-17T00:00:00


Secunia reports:

Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks.

Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site. Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.