----------------------------------------------------------------------

Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?

Click here to learn more:
http://secunia.com/advisories/business_solutions/

----------------------------------------------------------------------

TITLE:
Horde Products Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA33521

VERIFY ADVISORY:
http://secunia.com/advisories/33521/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
>From remote

SOFTWARE:
Horde Application Framework 3.x
http://secunia.com/advisories/product/4524/
Horde Groupware 1.x
http://secunia.com/advisories/product/17152/
Horde Groupware Webmail Edition 1.x
http://secunia.com/advisories/product/17151/

DESCRIPTION:
A vulnerability has been reported in various Horde products, which
can potentially be exploited to conduct cross-site scripting
attacks.

Unspecified input is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in the context of an affected site.

Successful exploitation requires that the victim uses Microsoft
Internet Explorer.

The vulnerability is reported in the following products and
versions:
* Horde Groupware Webmail Edition version 1.1.3
* Horde Groupware Webmail Edition version 1.2
* Horde Groupware version 1.1.3
* Horde Groupware version 1.2
* Horde version H3 (3.3)
* Horde version H3 (3.2.2)

SOLUTION:
Update to the latest versions.

Horde Groupware Webmail Edition:
Update to version 1.1.4 or 1.2.1.

Horde Groupware:
Update to version 1.1.4 or 1.2.1.

Horde H3:
Update to version 3.3.1 or 3.2.3.

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
Horde:
http://lists.horde.org/archives/announce/2008/000462.html
http://lists.horde.org/archives/announce/2008/000464.html
http://lists.horde.org/archives/announce/2008/000466.html
http://lists.horde.org/archives/announce/2008/000467.html
http://lists.horde.org/archives/announce/2008/000471.html
http://lists.horde.org/archives/announce/2008/000472.html

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------