CVE-2005-4190 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework before 3.0.8 allow remote authenticated users to inject arbitrary web script or HTML via multiple vectors as demonstrated by (1) the identity field (2) Category and (3) Label search fields (4) the Mobile Phone field and (5) Date and (6) Time fields when importing CSV files as exploited through modules such as (a) Turba Address Book (b) Kronolith (c) Mnemo and (d) Nag.

Reference

http://lists.horde.org/archives/announce/2005/000238.html http://secunia.com/advisories/17970 http://secunia.com/advisories/19619 http://secunia.com/advisories/19897 http://secunia.com/advisories/20960 http://www.debian.org/security/2006/dsa-1033 http://www.novell.com/linux/security/advisories/2006_04_28.html http://www.novell.com/linux/security/advisories/2006_16_sr.html http://www.sec-consult.com/245.html http://www.securityfocus.com/bid/15802 http://www.securityfocus.com/bid/15803 http://www.securityfocus.com/bid/15804 http://www.securityfocus.com/bid/15806 http://www.securityfocus.com/bid/15808 http://www.securityfocus.com/bid/15810 http://www.vupen.com/english/advisories/2005/2835