FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  526641
Date:      2020-02-21
Time:      18:46:22Z
Committer: brnrd

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
873a6542-5b8d-11da-b96e-000fb586ba73horde -- Cross site scripting vulnerabilities in MIME viewers

Announce of Horde 3.0.7 (final):

This [3.0.7] is a security release that fixes cross site scripting vulnerabilities in two of Horde's MIME viewers. These holes could for example be exploited by an attacker sending specially crafted emails to Horde's webmail client IMP. The attack could be used to steal users' identity information, taking over users' sessions, or changing users' settings.

As a hotfix the css and tgz MIME drivers can be disabled by removing their entries from the $mime_drivers_map['horde']['registered'] list in horde/config/mime_drivers.php.


Discovery 2005-11-22
Entry 2005-11-22
Modified 2005-11-26
horde
horde-php5
lt 3.0.7

15535
CVE-2005-3759
http://lists.horde.org/archives/announce/2005/000232.html
01356ccc-6a87-11da-b96e-000fb586ba73horde -- Cross site scripting vulnerabilities in several of Horde's templates

Announce of Horde H3 3.0.8 (final):

This [3.0.8] is a security release that fixes cross site scripting vulnerabilities in several of Horde's templates. None of the vulnerabilities can be exploited by unauthenticated users; however, we strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 as soon as possible.


Discovery 2005-12-11
Entry 2005-12-11
horde
horde-php5
lt 3.0.8

http://marc.theaimsgroup.com/?l=horde-announce&m=113433346726097&w=2
09429f7c-fd6e-11da-b1cd-0050bf27ba24horde -- multiple parameter cross site scripting vulnerabilities

FrSIRT advisory ADV-2006-2356 reports:

Multiple vulnerabilities have been identified in Horde Application Framework, which may be exploited by attackers to execute arbitrary scripting code. These flaws are due to input validation errors in the "test.php" and "templates/problem/problem.inc" scripts that do not validate the "url", "name", "email", "subject" and "message" parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.


Discovery 2006-06-10
Entry 2006-06-17
horde
horde-php5
le 3.1.1

CVE-2006-2195
http://www.frsirt.com/english/advisories/2006/2356
http://cvs.horde.org/diff.php?f=horde%2Ftest.php&r1=1.145&r2=1.146
http://cvs.horde.org/diff.php?f=horde%2Ftemplates%2Fproblem%2Fproblem.inc&r1=2.25&r2=2.26
ed1d404d-2784-11d9-b954-000bdb1444a4horde -- cross-site scripting vulnerability in help window

A Horde Team announcement states that a potential cross-site scripting vulnerability in the help window has been corrected. The vulnerability appears to involve the handling of the topic and module parameters of the help window template.


Discovery 2004-10-06
Entry 2004-10-27
horde
horde-devel
lt 2.2.7

http://marc.theaimsgroup.com/?l=horde-announce&m=109879164718625
2db97aa6-be81-11da-9b82-0050bf27ba24horde -- remote code execution vulnerability in the help viewer

Horde 3.1.1 release announcement:

Major changes compared to Horde 3.1 are:

  • Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team.

Discovery 2006-03-28
Entry 2006-03-28
Modified 2006-03-30
horde
horde-php5
lt 3.1.1

17292
CVE-2006-1491
http://lists.horde.org/archives/announce/2006/000271.html
2db97aa6-be81-11da-9b82-0050bf27ba24horde -- remote code execution vulnerability in the help viewer

Horde 3.1.1 release announcement:

Major changes compared to Horde 3.1 are:

  • Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team.

Discovery 2006-03-28
Entry 2006-03-28
Modified 2006-03-30
horde
horde-php5
lt 3.1.1

17292
CVE-2006-1491
http://lists.horde.org/archives/announce/2006/000271.html
01356ccc-6a87-11da-b96e-000fb586ba73horde -- Cross site scripting vulnerabilities in several of Horde's templates

Announce of Horde H3 3.0.8 (final):

This [3.0.8] is a security release that fixes cross site scripting vulnerabilities in several of Horde's templates. None of the vulnerabilities can be exploited by unauthenticated users; however, we strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 as soon as possible.


Discovery 2005-12-11
Entry 2005-12-11
horde
horde-php5
lt 3.0.8

http://marc.theaimsgroup.com/?l=horde-announce&m=113433346726097&w=2
3aa8b781-d2c4-11e5-b2bd-002590263bf5horde -- XSS vulnerabilities

The Horde Team reports:

Fixed XSS vulnerabilities in menu bar and form renderer.


Discovery 2016-02-02
Entry 2016-02-14
horde
lt 5.2.9

pear-Horde_Core
lt 2.22.6

CVE-2015-8807
CVE-2016-2228
https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
https://bugs.horde.org/ticket/14213
https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0
https://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8
http://www.openwall.com/lists/oss-security/2016/02/06/4
http://lists.horde.org/archives/announce/2016/001149.html
09429f7c-fd6e-11da-b1cd-0050bf27ba24horde -- multiple parameter cross site scripting vulnerabilities

FrSIRT advisory ADV-2006-2356 reports:

Multiple vulnerabilities have been identified in Horde Application Framework, which may be exploited by attackers to execute arbitrary scripting code. These flaws are due to input validation errors in the "test.php" and "templates/problem/problem.inc" scripts that do not validate the "url", "name", "email", "subject" and "message" parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.


Discovery 2006-06-10
Entry 2006-06-17
horde
horde-php5
le 3.1.1

CVE-2006-2195
http://www.frsirt.com/english/advisories/2006/2356
http://cvs.horde.org/diff.php?f=horde%2Ftest.php&r1=1.145&r2=1.146
http://cvs.horde.org/diff.php?f=horde%2Ftemplates%2Fproblem%2Fproblem.inc&r1=2.25&r2=2.26
873a6542-5b8d-11da-b96e-000fb586ba73horde -- Cross site scripting vulnerabilities in MIME viewers

Announce of Horde 3.0.7 (final):

This [3.0.7] is a security release that fixes cross site scripting vulnerabilities in two of Horde's MIME viewers. These holes could for example be exploited by an attacker sending specially crafted emails to Horde's webmail client IMP. The attack could be used to steal users' identity information, taking over users' sessions, or changing users' settings.

As a hotfix the css and tgz MIME drivers can be disabled by removing their entries from the $mime_drivers_map['horde']['registered'] list in horde/config/mime_drivers.php.


Discovery 2005-11-22
Entry 2005-11-22
Modified 2005-11-26
horde
horde-php5
lt 3.0.7

15535
CVE-2005-3759
http://lists.horde.org/archives/announce/2005/000232.html
c7c09579-b466-11da-82d0-0050bf27ba24horde -- "url" disclosure of sensitive information vulnerability

Secunia advisory SA19246:

Paul Craig has discovered a vulnerability in Horde, which can be exploited by malicious people to disclose sensitive information. Input passed to the "url" parameter in "services/go.php" isn't properly verified, before it is used in a "readfile()" call. This can be exploited to disclose the content of arbitrary files via e.g. the "php://" protocol wrapper.

The vulnerability has been confirmed in version 3.0.9 and has also been reported in prior versions.

Provided and/or discovered by: Paul Craig, Security-Assessment.com.


Discovery 2006-03-15
Entry 2006-03-15
horde
horde-php5
lt 3.1

http://secunia.com/advisories/19246/
e94cb43d-0c4a-11db-9016-0050bf27ba24horde -- various problems in dereferrer

Horde 3.1.2 release announcement:

Security Fixes:

  • Closed XSS problems in dereferrer (IE only), help viewer and problem reporting screen.
  • Removed unused image proxy code from dereferrer.

Discovery 2006-06-28
Entry 2006-07-05
Modified 2010-05-12
horde
horde-php5
lt 3.1.2

CVE-2006-3548
http://lists.horde.org/archives/announce/2006/000288.html
c7c09579-b466-11da-82d0-0050bf27ba24horde -- "url" disclosure of sensitive information vulnerability

Secunia advisory SA19246:

Paul Craig has discovered a vulnerability in Horde, which can be exploited by malicious people to disclose sensitive information. Input passed to the "url" parameter in "services/go.php" isn't properly verified, before it is used in a "readfile()" call. This can be exploited to disclose the content of arbitrary files via e.g. the "php://" protocol wrapper.

The vulnerability has been confirmed in version 3.0.9 and has also been reported in prior versions.

Provided and/or discovered by: Paul Craig, Security-Assessment.com.


Discovery 2006-03-15
Entry 2006-03-15
horde
horde-php5
lt 3.1

http://secunia.com/advisories/19246/
e94cb43d-0c4a-11db-9016-0050bf27ba24horde -- various problems in dereferrer

Horde 3.1.2 release announcement:

Security Fixes:

  • Closed XSS problems in dereferrer (IE only), help viewer and problem reporting screen.
  • Removed unused image proxy code from dereferrer.

Discovery 2006-06-28
Entry 2006-07-05
Modified 2010-05-12
horde
horde-php5
lt 3.1.2

CVE-2006-3548
http://lists.horde.org/archives/announce/2006/000288.html
ed1d404d-2784-11d9-b954-000bdb1444a4horde -- cross-site scripting vulnerability in help window

A Horde Team announcement states that a potential cross-site scripting vulnerability in the help window has been corrected. The vulnerability appears to involve the handling of the topic and module parameters of the help window template.


Discovery 2004-10-06
Entry 2004-10-27
horde
horde-devel
lt 2.2.7

http://marc.theaimsgroup.com/?l=horde-announce&m=109879164718625
e2e8d374-2e40-11db-b683-0008743bf21ahorde -- Phishing and Cross-Site Scripting Vulnerabilities

Secunia reports:

Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks.

  1. Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site.
  2. Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Discovery 2006-08-17
Entry 2006-08-17
horde
le 3.1.2

imp
le 4.1.2

19557
19544
http://secunia.com/advisories/21500/
http://lists.horde.org/archives/announce/2006/000292.html
e2e8d374-2e40-11db-b683-0008743bf21ahorde -- Phishing and Cross-Site Scripting Vulnerabilities

Secunia reports:

Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks.

  1. Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site.
  2. Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Discovery 2006-08-17
Entry 2006-08-17
horde
le 3.1.2

imp
le 4.1.2

19557
19544
http://secunia.com/advisories/21500/
http://lists.horde.org/archives/announce/2006/000292.html