Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0930 to
the following vulnerability:
Reference: MLIST:[announce] 20090127 IMP 4.2.2 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000484.html
Reference: MLIST:[announce] 20090127 IMP 4.3.3 (final)
Reference: URL: http://lists.horde.org/archives/announce/2009/000485.html
Reference: CONFIRM: http://cvs.horde.org/co.php/imp/docs/CHANGES?r=1.699.2.375
Reference: URL: http://www.securityfocus.com/bid/33492
Reference: URL: http://secunia.com/advisories/33719
Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP
before 4.2.2 and 4.3.3 allow remote attackers to inject arbitrary web
script or HTML via unspecified vectors to (1) smime.php, (2) pgp.php,
and (3) message.php.
Short summary with links to relevant patches:
IMP 4.2.2 and 4.3.3:
* SECURITY: Escape output in message.php, pgp.php and smime.php
Fedora 12 contains 4.3.4, so has this fix. Fedora 10 and 11 contain 4.2 and are still vulnerable to this issue.
imp-4.3.6-1.fc11 has been submitted as an update for Fedora 11.
imp-4.3.6-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.