A cross-site scripting (XSS) flaw was found in the way Kronolith, the Horde calendar application, sanitized content of certain event location parameters passed to month, monthlist and prevmonthlist application fields. A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or webscript execution. References: [1] http://lists.horde.org/archives/announce/2012/000836.html [2] https://github.com/horde/horde/blob/d3dda2d47fad7eb128a0091e732cded0c2601009/kronolith/docs/CHANGES Refevant upstream patch: [3] http://git.horde.org/horde-git/-/commit/d865c564beb6e98532880aa51a04a79f3311cd1e
These issues affect the versions of kronolith package, as shipped with Fedora release of 16 and 17. Please schedule an update. -- These issues affect the versions of the kronolith package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Created kronolith tracking bugs for this issue Affects: fedora-all [bug 879686] Affects: epel-all [bug 879687]
CVE Request: http://www.openwall.com/lists/oss-security/2012/11/23/3
The CVE identifier of CVE-2012-5567 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/11/23/7
Resolving as WONTFIX. We are working on packaging the new pear-based Horde, so this will eventually be fixed when that is finished.