CERTA-2006-AVI-366

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités dans Horde Application Framework 3 permettent à un utilisateur distant mal intentionné de réaliser une attaque de type Cross-Site Scripting.

Description

Deux erreurs ont été identifiées dans le fichier index.php de Horde Application Framework 3. Un manque de contrôle sur les paramètres passés à ce fichier permet à un utilisateur distant mal intentionné d'injecter une page web ou du script arbitraire dans le contexte du navigateur de la victime consultant le site vulnérable.

Solution

Les versions 3.0.12 et 3.1.3 de Horde Application Framework corrigent le problème :

http://ftp.horde.org/pub/horde/horde-3.0.12.tar.gz

http://ftp.horde.org/pub/horde/horde-3.1.3.tar.gz
None
Impacted products
Vendor Product Description
Horde N/A Horde Application Framework versions 3.1.2 et antérieures.
Horde N/A Horde Application Framework versions 3.0.11 et antérieures ;
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Horde Application Framework versions 3.1.2 et ant\u00e9rieures.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Horde",
          "scada": false
        }
      }
    },
    {
      "description": "Horde Application Framework versions 3.0.11 et ant\u00e9rieures ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Horde",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nDeux erreurs ont \u00e9t\u00e9 identifi\u00e9es dans le fichier index.php de Horde\nApplication Framework 3. Un manque de contr\u00f4le sur les param\u00e8tres pass\u00e9s\n\u00e0 ce fichier permet \u00e0 un utilisateur distant mal intentionn\u00e9 d\u0027injecter\nune page web ou du script arbitraire dans le contexte du navigateur de\nla victime consultant le site vuln\u00e9rable.\n\n## Solution\n\nLes versions 3.0.12 et 3.1.3 de Horde Application Framework corrigent le\nprobl\u00e8me :\n\n    http://ftp.horde.org/pub/horde/horde-3.0.12.tar.gz\n\n    http://ftp.horde.org/pub/horde/horde-3.1.3.tar.gz\n",
  "cves": [],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Horde #291 concernant la version    3.0.12 :",
      "url": "http://lists.horde.org/archives/announce/2006/000291.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Horde #292 concernant la version 3.1.3    :",
      "url": "http://lists.horde.org/archives/announce/2006/000292.html"
    },
    {
      "title": "Bulletin de securit\u00e9 FreeBSD du 17 ao\u00fbt 2006 :",
      "url": "http://www.vuxml.org/freebsd/index.html"
    }
  ],
  "reference": "CERTA-2006-AVI-366",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2006-08-18T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Cross-site scripting"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s dans Horde Application Framework 3\npermettent \u00e0 un utilisateur distant mal intentionn\u00e9 de r\u00e9aliser une\nattaque de type Cross-Site Scripting.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Horde Application Framework 3",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletins de s\u00e9curit\u00e9 Horde #291 et #292 du 17 ao\u00fbt 2006",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.