Common Vulnerabilities and Exposures assigned an identifier CVE-2008-1974 to the following vulnerability: Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter. References: http://www.securityfocus.com/archive/1/archive/1/491230/100/0/threaded http://forum.aria-security.com/showthread.php?t=49 http://www.securityfocus.com/bid/28898 http://secunia.com/advisories/29920 http://xforce.iss.net/xforce/xfdb/41974
Created attachment 303946 [details] Upstream patch Upstream released version 3.1.8 to address this flaw. This seems to be the relevant part of the diff between 3.1.7 and 3.1.8.
Builds are done here: F-7: http://koji.fedoraproject.org/koji/buildinfo?buildID=47672 F-8: http://koji.fedoraproject.org/koji/buildinfo?buildID=47673 F-9: http://koji.fedoraproject.org/koji/buildinfo?buildID=47674 Can somebody request a release?
Freeze break for Fedora 9 has been requested. Might not be approved due to zero testing though: https://www.redhat.com/archives/fedora-devel-list/2008-April/msg02377.html
kronolith-2.1.8-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
kronolith-2.1.8-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3460 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3543