Bug 1026498 - (CVE-2013-6364) CVE-2013-6364 horde: XSS and CSRF via saving search as virtual address book
CVE-2013-6364 horde: XSS and CSRF via saving search as virtual address book
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131103,repor...
: Security
Depends On: 1026494 1026496
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-04 14:30 EST by Vincent Danen
Modified: 2016-03-04 07:21 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-11-04 14:30:23 EST
A CSRF flaw and an XSS flaw ware reported [1],[2] in the way Horde Groupware handled saving searches as virtual address book.  An attacker could launch a CRSF attack to have the victim save malicious code in the "save search" which would then make it vulnerable to an XSS attack.

This has been fixed in git. [3]

[1] http://www.securityfocus.com/archive/1/529589
[2] http://bugs.horde.org/ticket/12803
[3] https://github.com/horde/horde/commit/74f9add4ad86c29b608270e33b17426163b3c8cf
Comment 1 Vincent Danen 2013-11-04 14:31:29 EST
Created horde tracking bugs for this issue:

Affects: fedora-all [bug 1026494]
Affects: epel-all [bug 1026496]

Note You need to log in before you can comment on or make changes to this bug.