CVE-2010-3695 Information

Description

Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8 and Horde Groupware Webmail Edition before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action related to the Fetchmail configuration.

Reference

http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584 http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde&r1=1.35.2.11&r2=1.35.2.13&ty=h http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11 http://lists.horde.org/archives/announce/2010/000558.html http://lists.horde.org/archives/announce/2010/000568.html http://openwall.com/lists/oss-security/2010/09/30/7 http://openwall.com/lists/oss-security/2010/09/30/8 http://openwall.com/lists/oss-security/2010/10/01/6 http://secunia.com/advisories/41627 http://secunia.com/advisories/43896 http://securityreason.com/securityalert/8170 http://www.debian.org/security/2011/dsa-2204 http://www.securityfocus.com/archive/1/513992/100/0/threaded http://www.securityfocus.com/bid/43515 http://www.vupen.com/english/advisories/2010/2513 http://www.vupen.com/english/advisories/2011/0769 https://bugzilla.redhat.com/show_bug.cgi?id=641069