Tickets :: [#14213] Reflected Cross-Site Scripting (XSS)

6.0.0-beta1

7/5/25

Summary	Reflected Cross-Site Scripting (XSS)
Queue	Horde Base
Queue Version	FRAMEWORK_5_2
Type	Bug
State	Resolved
Priority	3. High
Owners	jan (at) horde (dot) org
Requester	duarteetraud (at) gmail (dot) com
Created	01/03/2016 (3471 days ago)
Due
Updated	10/20/2017 (2815 days ago)
Assigned
Resolved	01/06/2016 (3468 days ago)
Github Issue Link
Github Pull Request
Milestone	5.2.9
Patch	No

10/20/2017 08:33:42 PM	Git Commit	Comment #7	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit 17a1ac38d6750d481784a56dedbcec685092cb41 Author: Jan Schneider <jan@horde.org> Date: Wed, 06 Jan 2016 11:47:03 +0100 [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a few applications (~~Bug #14213~~). M docs/CHANGES M package.xml M templates/topbar/_menubar.html.php https://github.com/horde/base/commit/17a1ac38d6750d481784a56dedbcec685092cb41

02/03/2016 01:00:50 PM	math (dot) parent (at) gmail (dot) com	Comment #6	Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS vulnerabilities in menu bar and form renderer.". Is this this only commit, or are they others? OK. Got it, it's "XSS in Horde_Core_VarRenderer_Html". This is currently hard to dig thru the changelogs to get security patches. Why not using CVEs and traditionnal embargoed patches?

02/03/2016 12:48:46 PM	math (dot) parent (at) gmail (dot) com	Comment #5	Reply to this comment
Horde groupware and webmail bundles changelogs mention "Fixed XSS vulnerabilities in menu bar and form renderer.". Is this this only commit, or are they others? Thanks NB: Asking this as the Debian packager, for Debian stable "jessie".

01/06/2016 11:56:58 AM	Git Commit	Comment #4	Reply to this comment
Changes have been made in Git (master): commit f03301cf6edcca57121a15e80014c4d0f29d99a0 Author: Jan Schneider <jan@horde.org> Date: Wed Jan 6 11:46:35 2016 +0100 [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a few applications (~~Bug #14213~~). horde/docs/CHANGES \| 26 +++++++++++++++++++++++--- horde/templates/topbar/_menubar.html.php \| 2 +- 2 files changed, 24 insertions(+), 4 deletions(-) http://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0

01/06/2016 10:48:26 AM	Jan Schneider	Comment #3 Assigned to Jan Schneider State ⇒ Resolved Milestone ⇒ 5.2.9	Reply to this comment
Thanks for the report! In the future please report to security@horde.org instead, or make the comments only readable for the Horde Developers group.

01/06/2016 10:47:16 AM	Git Commit	Comment #2	Reply to this comment
Changes have been made in Git (FRAMEWORK_5_2): commit ab07a1b447de34e13983b4d7ceb18b58c3a358d8 Author: Jan Schneider <jan@horde.org> Date: Wed Jan 6 11:46:35 2016 +0100 [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by only a few applications (~~Bug #14213~~). horde/docs/CHANGES \| 2 ++ horde/package.xml \| 4 ++-- horde/templates/topbar/_menubar.html.php \| 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) http://github.com/horde/horde/commit/ab07a1b447de34e13983b4d7ceb18b58c3a358d8

01/06/2016 10:47:03 AM	Jan Schneider	Version ⇒ FRAMEWORK_5_2 Queue ⇒ Horde Base

01/03/2016 01:19:19 AM	duarteetraud (at) gmail (dot) com	Comment #1 Priority ⇒ 3. High Type ⇒ Bug Summary ⇒ Reflected Cross-Site Scripting (XSS) Queue ⇒ Gollem Milestone ⇒ Patch ⇒ No State ⇒ Unconfirmed	Reply to this comment
Hey guys, I've found a XSS flaw on a gollem in Horde (5.2.5) application that's being used has a plugin in roundecube for file management, I only tried in prod. [domain]xplorer/gollem/manager.php?searchfield=%22%22%3E%3Cscript/src=data:,alert(document.cookie)%2b%22&x=0&y=0 Variable: searchfield The payload: ""><!--a75c305b1c0a6022--><script/src=data:,alert(document.cookie)%2b" (With Chrome XSS-Auditor bypass) Input validation in the search field should be enough to stop the attack. I can post on the bug mailist if you want. Thank You.