Bug 848972 (CVE-2013-6364) - VUL-0: CVE-2013-6364: horde5: XSS and CSRF via saving search as virtual address book
Summary: VUL-0: CVE-2013-6364: horde5: XSS and CSRF via saving search as virtual addr...
Status: RESOLVED FIXED
Alias: CVE-2013-6364
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.1
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Ralf Lang
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-05 09:20 UTC by Victor Pereira
Modified: 2017-07-12 09:36 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-11-05 09:20:35 UTC
CVE-2013-6364

A CSRF flaw and an XSS flaw ware reported [1],[2] in the way Horde Groupware handled saving searches as virtual address book.  An attacker could launch a CRSF attack to have the victim save malicious code in the "save search" which would then make it vulnerable to an XSS attack.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1026498
http://www.securityfocus.com/archive/1/529589 (proof of concept) 
https://github.com/horde/horde/commit/74f9add4ad86c29b608270e33b17426163b3c8cf (fix)
Comment 1 Swamp Workflow Management 2013-11-05 23:00:17 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-01-14 08:51:27 UTC
ping?
Comment 4 Johannes Segitz 2017-07-12 09:36:02 UTC
Factory version and therefor Leap isn't affected