ports/130968: [vuxml] mail/roundcube vulnerability
Mark Foster
mark at foster.cc
Sun Jan 25 04:00:06 UTC 2009
>Number: 130968
>Category: ports
>Synopsis: [vuxml] mail/roundcube vulnerability
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Jan 25 04:00:03 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Mark Foster
>Release: 7.1 RELEASE
>Organization:
Credentia
>Environment:
>Description:
>How-To-Repeat:
>Fix:
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
<vuln vid="a0683fa8-e0c5-4d6d-913a-8850f8ed9583">
<topic>roundcube -- RoundCube Webmail Background Attributes Email Message HTML Injection Vulnerabili</topic>
<affects>
<package>
<name>roundcube</name>
<range><le>0.2</le></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>SecurityFocus reports:</p>
<blockquote cite="http://www.securityfocus.com/bid/33372">
<p>RoundCube Webmail is prone to an HTML-injection vulnerability because the application fails to sufficiently sanitize user-supplied input before using it in dynamically generated content.
Exploiting this issue may allow an attacker to execute HTML and script code in the context of the affected site to steal cookie-based authentication credentials or to control how the site is rendered to the user other attacks are also possible.
RoundCube Webmail 0.2-stable is vulnerable other versions may also be affected.
</p>
</blockquote>
</body>
</description>
<references>
<url>http://www.securityfocus.com/bid/33372</url>
<cvename>CVE-2008-5734</cvename>
<bid>33372</bid>
</references>
<dates>
<discovery>2009-01-20</discovery>
<entry>2009-01-24</entry>
</dates>
</vuln>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list