phpGroupWare: XSS vulnerability in wiki module — GLSA 200409-22

The phpGroupWare software contains a cross site scripting vulnerability in the wiki module.

Affected packages

Package 	www-apps/phpgroupware on all architectures
Affected versions 	< 0.9.16.003
Unaffected versions 	>= 0.9.16.003

Background

phpGroupWare is a web-based suite of group applications including calendar, todo-list, addressbook, email, wiki, news headlines, and a file manager.

Description

Due to an input validation error, the wiki module in the phpGroupWare suite is vulnerable to cross site scripting attacks.

Impact

This vulnerability gives an attacker the ability to inject and execute malicious script code, potentially compromising the victim's browser.

Workaround

The is no known workaround at this time.

Resolution

All phpGroupWare users should upgrade to the latest version:

 # emerge sync
 
 # emerge -pv ">=www-apps/phpgroupware-0.9.16.003"
 # emerge ">=www-apps/phpgroupware-0.9.16.003"

References

    phpGroupWare ChangeLog
    Secunia Advisory SA12466
    CVE-2004-0875