Bug 452549 (CVE-2008-6746) - CVE-2008-6746 turba: XSS issue in the contact view
Summary: CVE-2008-6746 turba: XSS issue in the contact view
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2008-6746
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-23 17:35 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-27 11:16:58 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-06-23 17:35:48 UTC
New turba upstream version 2.2.1 was released to address XSS issue in the
contact view.

Note in upstream changelog:
  SECURITY: Escape contact names in the contact display view.

Upstream patch:
http://cvs.horde.org/diff.php/turba/contact.php?r1=1.11&r2=1.12

2.2.1 announcement:
http://lists.horde.org/archives/announce/2008/000414.html
http://cvs.horde.org/diff.php/turba/docs/CHANGES?r1=1.181.2.165&r2=1.181.2.170&ty=h

Other references:
http://secunia.com/advisories/30697/

Rawhide already has 2.2.1 (turba-2.2.1-1.fc10).  There's no contact.php in 2.1.7
currently in F8 and F9, and I failed to find this code elsewhere.  Double-check
is appreciated though.

Comment 1 Fedora Update System 2008-06-24 04:29:40 UTC
turba-2.2.1-1.fc9 has been submitted as an update for Fedora 9

Comment 2 Fedora Update System 2008-06-24 04:30:45 UTC
turba-2.2.1-1.fc8 has been submitted as an update for Fedora 8

Comment 3 Nigel Jones 2008-06-24 04:37:07 UTC
(In reply to comment #0)
> Rawhide already has 2.2.1 (turba-2.2.1-1.fc10).  There's no contact.php in 2.1.7
> currently in F8 and F9, and I failed to find this code elsewhere.  Double-check
> is appreciated though.

Thanks, my plan was already to update F-8/F-9 to 2.2.1.  Feel free to untag the
updates as security though.

Also EPEL-5 now has an updated version (2.2.1).

Comment 4 Fedora Update System 2008-06-25 02:51:20 UTC
turba-2.2.1-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update turba'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5652

Comment 5 Tomas Hoger 2008-06-25 14:39:44 UTC
(In reply to comment #3)

> Thanks, my plan was already to update F-8/F-9 to 2.2.1.  Feel free to untag the
> updates as security though.

Given the information in comment #0, I changed them to enhancement.  Feel free
to request stable as needed.  Sorry for the delay.


Comment 6 Tomas Hoger 2008-08-27 11:16:58 UTC
No further action needed here, closing.

Comment 7 Tomas Hoger 2009-04-24 07:25:07 UTC
CVE-2008-6746:

Cross-site scripting (XSS) vulnerability in the contact display view
in Turba Contact Manager H3 before 2.2.1 allows remote attackers to
inject arbitrary web script or HTML via the contact name.


Note You need to log in before you can comment on or make changes to this bug.