Bug 452549 - (CVE-2008-6746) CVE-2008-6746 turba: XSS issue in the contact view
CVE-2008-6746 turba: XSS issue in the contact view
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
source=gentoo,impact=moderate,reporte...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-23 13:35 EDT by Tomas Hoger
Modified: 2016-03-04 07:08 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-27 07:16:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-06-23 13:35:48 EDT
New turba upstream version 2.2.1 was released to address XSS issue in the
contact view.

Note in upstream changelog:
  SECURITY: Escape contact names in the contact display view.

Upstream patch:
http://cvs.horde.org/diff.php/turba/contact.php?r1=1.11&r2=1.12

2.2.1 announcement:
http://lists.horde.org/archives/announce/2008/000414.html
http://cvs.horde.org/diff.php/turba/docs/CHANGES?r1=1.181.2.165&r2=1.181.2.170&ty=h

Other references:
http://secunia.com/advisories/30697/

Rawhide already has 2.2.1 (turba-2.2.1-1.fc10).  There's no contact.php in 2.1.7
currently in F8 and F9, and I failed to find this code elsewhere.  Double-check
is appreciated though.
Comment 1 Fedora Update System 2008-06-24 00:29:40 EDT
turba-2.2.1-1.fc9 has been submitted as an update for Fedora 9
Comment 2 Fedora Update System 2008-06-24 00:30:45 EDT
turba-2.2.1-1.fc8 has been submitted as an update for Fedora 8
Comment 3 Nigel Jones 2008-06-24 00:37:07 EDT
(In reply to comment #0)
> Rawhide already has 2.2.1 (turba-2.2.1-1.fc10).  There's no contact.php in 2.1.7
> currently in F8 and F9, and I failed to find this code elsewhere.  Double-check
> is appreciated though.

Thanks, my plan was already to update F-8/F-9 to 2.2.1.  Feel free to untag the
updates as security though.

Also EPEL-5 now has an updated version (2.2.1).
Comment 4 Fedora Update System 2008-06-24 22:51:20 EDT
turba-2.2.1-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update turba'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5652
Comment 5 Tomas Hoger 2008-06-25 10:39:44 EDT
(In reply to comment #3)

> Thanks, my plan was already to update F-8/F-9 to 2.2.1.  Feel free to untag the
> updates as security though.

Given the information in comment #0, I changed them to enhancement.  Feel free
to request stable as needed.  Sorry for the delay.
Comment 6 Tomas Hoger 2008-08-27 07:16:58 EDT
No further action needed here, closing.
Comment 7 Tomas Hoger 2009-04-24 03:25:07 EDT
CVE-2008-6746:

Cross-site scripting (XSS) vulnerability in the contact display view
in Turba Contact Manager H3 before 2.2.1 allows remote attackers to
inject arbitrary web script or HTML via the contact name.

Note You need to log in before you can comment on or make changes to this bug.