Bug 490928 (CVE-2009-0930)

Summary: CVE-2009-0930 imp: multiple XSS vulnerabilities
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dev
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0930
Whiteboard: impact=moderate,source=cve,reported=20090317,public=20090127,cwe=CWE-79[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-04-02 10:44:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 544430    
Bug Blocks:    

Comment 1 Vincent Danen 2009-03-18 15:45:40 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0930 to
the following vulnerability:

Name: CVE-2009-0930
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0930
Assigned: 20090317
Reference: MLIST:[announce] 20090127 IMP 4.2.2 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000484.html
Reference: MLIST:[announce] 20090127 IMP 4.3.3 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000485.html
CONFIRM: http://cvs.horde.org/co.php/imp/docs/CHANGES?r=1.699.2.301.2.3
Reference: CONFIRM: http://cvs.horde.org/co.php/imp/docs/CHANGES?r=1.699.2.375
Reference: BID:33492
Reference: URL: http://www.securityfocus.com/bid/33492
Reference: SECUNIA:33719
Reference: URL: http://secunia.com/advisories/33719

Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP
before 4.2.2 and 4.3.3 allow remote attackers to inject arbitrary web
script or HTML via unspecified vectors to (1) smime.php, (2) pgp.php,
and (3) message.php.

Comment 3 Vincent Danen 2009-12-04 21:06:41 UTC
Fedora 12 contains 4.3.4, so has this fix.  Fedora 10 and 11 contain 4.2 and are still vulnerable to this issue.

Comment 5 Fedora Update System 2010-03-29 18:42:22 UTC
imp-4.3.6-1.fc11 has been submitted as an update for Fedora 11.

Comment 6 Fedora Update System 2010-04-01 01:45:57 UTC
imp-4.3.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.